Hi Pascal,
On 2015-06-23 23:33, Pascal Hambourg wrote:
Christian Ruppert a écrit :
I noticed that neither *NAT nor redirects will work when using the
SYNPROXY module with e.g. those settings:
net.netfilter.nf_conntrack_tcp_loose=0
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
sysctl -w net.ipv4.tcp_timestamps=1
iptables -t raw -I PREROUTING -p tcp -m tcp --syn -j CT --notrack
This rule disables connection tracking which is required for stateful
NAT operation.
Thanks! From what I've seen/read, this rule is required or am I wrong?
It needs to do the complete handshake and upon success it will
pass/forward the connection or act somehow like a real proxy.
iptables -I INPUT -p tcp -m tcp -m conntrack --ctstate
INVALID,UNTRACKED
-j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
--
Regards,
Christian Ruppert
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
