[Bug 453] New: REDIRECT broken in 2.6.16-rcX kernels

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Thu Feb 23 10:36:28 CET 2006


           Summary: REDIRECT broken in 2.6.16-rcX kernels
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: i386
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: NAT
        AssignedTo: laforge at netfilter.org
        ReportedBy: stephen_purcell at yahoo.com

I use REDIRECT on a desktop machine to re-route outbound HTTP traffic to a 
Squid running on the same machine at port 3128.  I use the following iptables 
rules to accomplish this:

iptables -t nat -F
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --gid-owner proxy 
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

This has worked fine for many kernel versions, but does not work since the 
x_tables merge in 2.6.16-rc1.  The user-visible effect is that browsers report 
a "could not connect" error.

I'm not an expert at analysing this kind of problem, but while the browser's 
request is pending, I get the following output from "netstat -tp":

tcp        0      1       SYN_SENT   

I was surprised to see that the browser had directly contacted the remote 

This feels like a bug to me, but it could also be that I'm doing something 
wrong/stupid.  I tried replacing the REDIRECT with a DNAT to, 
and got the same netstat output.

In neither case is anything printed by tcpdump, apart from the initial DNS 
lookup, of course.  Please let me know if I can provide further information.

Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list