[Bug 453] New: REDIRECT broken in 2.6.16-rcX kernels
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Thu Feb 23 10:36:28 CET 2006
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=453
Summary: REDIRECT broken in 2.6.16-rcX kernels
Product: netfilter/iptables
Version: linux-2.6.x
Platform: i386
OS/Version: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P2
Component: NAT
AssignedTo: laforge at netfilter.org
ReportedBy: stephen_purcell at yahoo.com
I use REDIRECT on a desktop machine to re-route outbound HTTP traffic to a
Squid running on the same machine at port 3128. I use the following iptables
rules to accomplish this:
iptables -t nat -F
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --gid-owner proxy
-j ACCEPT
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
This has worked fine for many kernel versions, but does not work since the
x_tables merge in 2.6.16-rc1. The user-visible effect is that browsers report
a "could not connect" error.
I'm not an expert at analysing this kind of problem, but while the browser's
request is pending, I get the following output from "netstat -tp":
tcp 0 1 192.168.0.4:35013 66.249.93.104:www SYN_SENT
17080/konquerorni5O
I was surprised to see that the browser had directly contacted the remote
site.
This feels like a bug to me, but it could also be that I'm doing something
wrong/stupid. I tried replacing the REDIRECT with a DNAT to 127.0.0.1:3128,
and got the same netstat output.
In neither case is anything printed by tcpdump, apart from the initial DNS
lookup, of course. Please let me know if I can provide further information.
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
More information about the netfilter-buglog
mailing list