a problem with nat table setting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I am having a problem with the nat table configuration.  I am using
2.6.8.1 kernel in a router and also added a http filter proxy which
uses port 8080.

Internet ------------ ROUTER(http filter proxy) ---------linux PC.
                                      lan ip: 192.168.1.1       192.168.1.2

I have found that if there is a established connection exist between
linux PC and the webserver before I start the proxy, and added the
iptables nat rules, which can be  checked use netstat, the outgoing
http packet will not be passed to the proxy, and it seems go out
directly.  If I leave it untouched (no http activity), and after some
time later, that connection is gone,  the outgoing http packet will be
passed to the proxy again.

Any one know how to solve this problem?

Thanks.

Yong

Here is the iptables configure:
1. only the one in nat PREROUTING REDIRECT are for the proxy)
2. ppp0 is wan interface     br0 is lan interface.  PC is attached to br0.

# iptables -L -v
Chain INPUT (policy ACCEPT 3574 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination
   22  7554 ACCEPT     all  --  ppp0   any     anywhere            
anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  ppp0   any     anywhere            
anywhere            udp dpt:500
    0     0 ACCEPT     esp  --  ppp0   any     anywhere             anywhere
    0     0 ACCEPT    !esp  --  ppp0   any     anywhere            
anywhere            MARK match 0x10000000/0x10000000
    0     0 LOG        tcp  --  ppp0   any     anywhere            
anywhere            tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst
5 LOG level alert prefix `Intrusion -> '
    0     0 DROP       all  --  ppp0   any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 43 packets, 13943 bytes)
 pkts bytes target     prot opt in     out     source               destination
   37 15118 ACCEPT     all  --  ppp0   any     anywhere            
anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT    !esp  --  ppp0   any     anywhere            
anywhere            MARK match 0x10000000/0x10000000
    0     0 LOG        tcp  --  ppp0   any     anywhere            
anywhere            tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst
5 LOG level alert prefix `Intrusion -> '
    0     0 DROP       all  --  ppp0   any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 3456 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    ppp0    anywhere            
239.255.255.250


# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 84 packets, 5865 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   120 REDIRECT   tcp  --  br0    any     anywhere           
!192.168.1.1         tcp dpt:www redir ports 8080
    2   118 DNAT       udp  --  br0    any     anywhere            
192.168.1.1         udp dpt:domain to:10.250.1.10

Chain POSTROUTING (policy ACCEPT 28 packets, 1822 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   178 MASQUERADE  all  --  any    ppp0    192.168.1.0/24       anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
#
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux