[Bug 453] New: REDIRECT broken in 2.6.16-rcX kernels

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Thu Feb 23 10:36:28 CET 2006


https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=453

           Summary: REDIRECT broken in 2.6.16-rcX kernels
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: i386
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: NAT
        AssignedTo: laforge at netfilter.org
        ReportedBy: stephen_purcell at yahoo.com


I use REDIRECT on a desktop machine to re-route outbound HTTP traffic to a 
Squid running on the same machine at port 3128.  I use the following iptables 
rules to accomplish this:

iptables -t nat -F
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --gid-owner proxy 
-j ACCEPT
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

This has worked fine for many kernel versions, but does not work since the 
x_tables merge in 2.6.16-rc1.  The user-visible effect is that browsers report 
a "could not connect" error.

I'm not an expert at analysing this kind of problem, but while the browser's 
request is pending, I get the following output from "netstat -tp":

tcp        0      1 192.168.0.4:35013       66.249.93.104:www       SYN_SENT   
17080/konquerorni5O

I was surprised to see that the browser had directly contacted the remote 
site.

This feels like a bug to me, but it could also be that I'm doing something 
wrong/stupid.  I tried replacing the REDIRECT with a DNAT to 127.0.0.1:3128, 
and got the same netstat output.

In neither case is anything printed by tcpdump, apart from the initial DNS 
lookup, of course.  Please let me know if I can provide further information.

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the netfilter-buglog mailing list