Re: Transparent caching problem

"Kamel A. Baba" <kamelbaba@xxxxxxxxxxxxx> · Wed, 15 Mar 2006 14:03:55 -0800 (PST)

> Then most likely your NAT rules are not correct.
> 
> Or you have rp_filter or similar enabled causing the
> packets to be
> immediately discarded.
> 
> Or other firewalling rules discarding the traffic.
> 
>   iptables-save -c

[root@dns2 ~]# iptables-save -c
# Generated by iptables-save v1.2.11 on Wed Mar 15
23:58:37 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1856:620393]
:RH-Firewall-1-INPUT - [0:0]
[1785:549953] -A INPUT -j RH-Firewall-1-INPUT
[0:0] -A FORWARD -j RH-Firewall-1-INPUT
[2:370] -A RH-Firewall-1-INPUT -i lo -j ACCEPT
[1783:549583] -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p icmp -m icmp
--icmp-type any -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m
udp --dport 5353 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p udp -m udp --dport 631
-j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -m state --state
RELATED,ESTABLISHED -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p tcp -m state --state
NEW -m tcp --dport 80 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p tcp -m state --state
NEW -m tcp --dport 443 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p tcp -m state --state
NEW -m tcp --dport 21 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p tcp -m state --state
NEW -m tcp --dport 22 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p tcp -m state --state
NEW -m tcp --dport 23 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -j REJECT --reject-with
icmp-host-prohibited
COMMIT
# Completed on Wed Mar 15 23:58:37 2006
# Generated by iptables-save v1.2.11 on Wed Mar 15
23:58:37 2006
*mangle
:PREROUTING ACCEPT [1819:551585]
:INPUT ACCEPT [1785:549953]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1856:620393]
:POSTROUTING ACCEPT [1856:620393]
COMMIT
# Completed on Wed Mar 15 23:58:37 2006
# Generated by iptables-save v1.2.11 on Wed Mar 15
23:58:37 2006
*nat
:PREROUTING ACCEPT [45:5333]
:POSTROUTING ACCEPT [114:7323]
:OUTPUT ACCEPT [114:7323]
[34:1632] -A PREROUTING -i gre0 -p tcp -m tcp --dport
80 -j DNAT --to-destination 127.0.0.1:8080
COMMIT
# Completed on Wed Mar 15 23:58:37 2006

>   grep . /proc/sys/net/ipv4/conf/*/rp_filter

[root@dns2 ~]# grep .
/proc/sys/net/ipv4/conf/*/rp_filter
/proc/sys/net/ipv4/conf/all/rp_filter:0
/proc/sys/net/ipv4/conf/default/rp_filter:0
/proc/sys/net/ipv4/conf/eth0/rp_filter:0
/proc/sys/net/ipv4/conf/gre0/rp_filter:0
/proc/sys/net/ipv4/conf/lo/rp_filter:0

> Regards
> Henrik
> 

Thanks for helping,
Kamel