On Monday 02 August 2004 9:02 pm, Antony Stone wrote:
> On Monday 02 August 2004 8:50 pm, Eric Ellis wrote:
> > Antony Stone wrote:
> > > My recommendation is to put a LOG rule at the end of each chain, just
> > > before the default DROP policy takes effect, and you'll see what
> > > packets are getting that far and then being lost.
> >
> > Now here's something interesting that I discovered when you mentioned
> > it...
> >
> > It appears that all of my HTTP packets are making it through the chains
> > without being picked up by my redirect rule. The same appears to be
> > happening with mail. I put the LOG at the end of the 3 filter tables,
> > In, Out, and FWD, so assuming that it's line by line filtering (eg, runs
> > until a rule catches it), my packet is making it throught the chains
> > without being caught. Any suggesstions on what could cause that?
>
> Yes. You have no FORWARD rule allowing packets to TCP port 80 (well, you
> do, but it's commented out...).
Sorry, scrub that - you're right about the REDIRECT rule. However, I don't
see an INPUT rule allowing packets in to Squid on port 8080.
You also seem to have two OUTPUT rules allowing TCP packets to port 80 - why?
How about showing us the output of "iptables -L -nvx; iptables -L -t nat -nvx"
so we can see the rules in the right order?
Regards,
Antony.
--
Success is a lousy teacher. It seduces smart people into thinking they can't
lose.
- William H Gates III
Please reply to the list;
please don't CC me.
