Well, if Apache sees the traffic on port 8081 then your redirect is working as it should. Netfilter does nothing with the contents of the packets, just with the addresses and ports. Your problem is then with Apache. A browser never requests a / but always a URL, your apache makes something different of it. -Sietse -----Original Message----- From: Nicolas Mailhot [mailto:nicolas.mailhot@xxxxxxxxxxx] Sent: Monday, June 05, 2006 11:48 AM To: Sietse van Zanen Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: RE: Transparent proxy setup with apache on the nat gateway Le lundi 05 juin 2006 à 10:40 +0200, Sietse van Zanen a écrit : Thank you for taking the time to look at my problem ! > I think the error is in your first two rules for the PREROUTING chain > in the NAT table: ... > All WEB traffic will only hit the first rule and never the second. I have traces of many attempts in my rule file - I never used those two rules together so it's not the problem > I think you should try something like this. > Have apache proxy listen on localhost (127.0.0.1) port 8081 > Iptables -t NAT -A PREROUTING -p tcp -i eth0(internal nic) -m > multiport > --dports http,https,squid,svn,http-alt,webcache -j REDIRECT --to > 127.0.0.1:8081 If I use REDIRECT the to is interpreted like --to-port and I see the LAN system hammer the gateway 127 port :( If I use -A PREROUTING -i eth1 -p tcp -m multiport --dports http,https,squid,svn,http-alt,webcache -j REDIRECT --to-port 8081 the requests are redirected to port 8081 of the lan interface IP (192.168.1.1, I can live with that) but the result is abysmal : apache logs "GET / HTTP/1.1" requests instead of "GET http://www.slashdot.org/ HTTP/1.1" requests so all sites are served as if the browser asked for the local root (empty) and the browser only receives blank pages Regards, -- Nicolas Mailhot
