On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "John G. Norman" <john.g.norman@gmail.com>
To: netfilter@lists.netfilter.org
Subject: On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)
Date: Mon, 2 May 2005 14:42:55 -0400	[thread overview]
Message-ID: <df31c4040505021142197fdcdc@mail.gmail.com> (raw)

Hi. I've been reading through the FAQ and some of the recent list
history, and haven't found much guidance on the problem below.

I am trying to do a transparent proxy from port 80 to port 8080. I've
had no problem doing this on a recent release of SuSE (iptables
1.2.9), but something's not working on Fedora 3.

The version of iptables on this release of Fedora is 1.2.11

/proc/sys/net/ipv4/ip_forward shows: 1

(any other settings in /proc/sys/net/ipv4 that could affect this?)

I've tried it two ways, which I think should be equivalent (the
system's IP is 192.168.10.101):

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 8080

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.16
8.10.101:8080

Port 8080 is definitely open, and I can browse to that port with no
problems. For 80, I get connection refused.

My filter table is wide open; nothing in mangle, and I show below
what's in nat to show that the setting is at least there. Also below I
show the nat table when I use -j REDIRECT.

Any ideas? I'm completely stumped. 

John

[root@preview preview]# /sbin/iptables -nvL
Chain INPUT (policy ACCEPT 944 packets, 351K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 653 packets, 143K bytes)
 pkts bytes target     prot opt in     out     source               destination

[root@preview preview]#

[root@preview preview]# /sbin/iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
[root@preview preview]# /sbin/iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:http to:192
.168.10.101:8080

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

====================================================

And here's the nat table when I use -j REDIRECT (looks good . . .):

[root@preview preview]# !352
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-p
ort 8080
[root@preview preview]# /sbin/iptables -t nat -LUT
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir
ports 8080

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@preview preview]#

next             reply	other threads:[~2005-05-02 18:42 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-05-02 18:42 John G. Norman [this message]
2005-05-02 18:51 ` On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT) Jason Opperisano
2005-05-02 19:04   ` John G. Norman
2005-05-02 20:57     ` Jason Opperisano
2005-05-02 19:42 ` Taylor, Grant
2005-05-02 20:55   ` John G. Norman
2005-05-02 21:01     ` Jason Opperisano
2005-05-02 21:12       ` Ramoni
2005-05-02 21:18         ` John G. Norman
2005-05-02 21:55           ` Taylor, Grant
2005-05-03  2:27           ` iptables ip forwarding elg3ne
2005-05-02 21:15       ` On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT) John G. Norman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=df31c4040505021142197fdcdc@mail.gmail.com \
    --to=john.g.norman@gmail.com \
    --cc=john@7fff.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox