[Bug 429] -j REDIRECT does not appear to work correctly
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Tue Feb 21 03:52:58 CET 2006
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429
James.Schatzman at futurelabusa.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WORKSFORME |
------- Additional Comments From James.Schatzman at futurelabusa.com 2006-02-21 03:52 MET -------
Sorry about the delay. All bugzilla e-mails were being classed as spam.
I have tested this on two different machines - Fedora 3 and Fedora 4 systems.
Same behavior. -j REDIRECT does not work as expected. -j DNAT does work as
expected. -j REDIRECT does work as expected when there is only one IP address
involved, or (I am 80% sure of this) when all IP addresses are given their own
individual rule, instead of using a mix of specific-IP and masked-IP addresses.
Are you sure that you have tried this on a machine with multiple IP addresses
and address masking in this way? Without multiple IPs, the problem probably
cannot be reproduced.
Here is my entire iptables config. As I indicated previously, this config works.
However, commenting the DNAT lines and uncommenting the correspodning REDIRECT
lines results in failure. There are no errors produced. IPTABLES simply fails to
cause the proper redirection (of port 80 to 9080 and 443 to 9443).
The redirects of port 80 to 8080 and 443 to 8443 do work, on all the machines
but <IP1>. -> That is correct behavior
The redirect of port 80 and 443 on <IP1> do not seem to work at all. They are
not redirected to either ports 8080/9080 or 8443/9443. Those ports appear to be
dead. The same behavior is observed for incoming connections (from a system
other than this one) and local connections (that is, originating from this server).
Here I have suppressed the actual IP addresses. IP1 represents one address from
the set <IP BASE>/255.255.255.240.
Thanks!
Jim
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT
# -A RH-Firewall-1-INPUT -p all -m limit --limit 1/second -j LOG --log-level
info --log-prefix "FINAL -- REJECT" --log-tcp-sequence\
--log-tcp-options --log-ip-options
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-destination <IP1>:9080
-A PREROUTING -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-destination <IP1>:9443
#-A PREROUTING -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-ports 9080
#-A PREROUTING -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-ports 9443
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
#-A OUTPUT -p tcp -d <IP1> -m tcp --dport 80 -j REDIRECT --to-ports 9080
#-A OUTPUT -p tcp -d <IP1> -m tcp --dport 443 -j REDIRECT --to-ports 9443
-A OUTPUT -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-destination <IP1>:9080
-A OUTPUT -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-destination <IP1>:9443
-A OUTPUT -p tcp -d <IP BASE>/255.255.255.240 -m tcp --dport 80 -j REDIRECT
--to-ports 8080
-A OUTPUT -p tcp -d <IP BASE>/255.255.255.240 -m tcp --dport 443 -j REDIRECT
--to-ports 8443
COMMIT
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the netfilter-buglog
mailing list