a problem with nat table setting

Do you have a question? Post it now! No Registration Necessary

Translate This Thread From English to

Hi,

I am having a problem with the nat table configuration.  I am using
2.6.8.1 kernel in a router and also added a http filter proxy which
uses port 8080.

Internet ------------ ROUTER(http filter proxy) ---------linux PC.
                                     lan ip: 192.168.1.1
192.168.1.2

I have found that if there is a established connection exist between
linux PC and the webserver before I start the proxy, and added the
iptables nat rules, which can be  checked use netstat, the outgoing
http packet will not be passed to the proxy, and it seems go out
directly.  If I leave it untouched (no http activity), and after some
time later, that connection is gone,  the outgoing http packet will be
passed to the proxy again.

Any one know how to solve this problem?

Thanks.

Yong

Here is the iptables configure:
1. only the one in nat PREROUTING REDIRECT are for the proxy)
2. ppp0 is wan interface     br0 is lan interface.  PC is attached to
br0.

# iptables -L -v
Chain INPUT (policy ACCEPT 3574 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source
destination
  22  7554 ACCEPT     all  --  ppp0   any     anywhere
anywhere            state RELATED,ESTABLISHED
   0     0 ACCEPT     udp  --  ppp0   any     anywhere
anywhere            udp dpt:500
   0     0 ACCEPT     esp  --  ppp0   any     anywhere
anywhere
   0     0 ACCEPT    !esp  --  ppp0   any     anywhere
anywhere            MARK match 0x10000000/0x10000000
   0     0 LOG        tcp  --  ppp0   any     anywhere
anywhere            tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst
5 LOG level alert prefix `Intrusion -> '
   0     0 DROP       all  --  ppp0   any     anywhere
anywhere

Chain FORWARD (policy ACCEPT 43 packets, 13943 bytes)
 pkts bytes target     prot opt in     out     source
destination
  37 15118 ACCEPT     all  --  ppp0   any     anywhere
anywhere            state RELATED,ESTABLISHED
   0     0 ACCEPT    !esp  --  ppp0   any     anywhere
anywhere            MARK match 0x10000000/0x10000000
   0     0 LOG        tcp  --  ppp0   any     anywhere
anywhere            tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst
5 LOG level alert prefix `Intrusion -> '
   0     0 DROP       all  --  ppp0   any     anywhere
anywhere

Chain OUTPUT (policy ACCEPT 3456 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source
destination
   0     0 DROP       all  --  any    ppp0    anywhere
239.255.255.250


# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 84 packets, 5865 bytes)
 pkts bytes target     prot opt in     out     source
destination
   2   120 REDIRECT   tcp  --  br0    any     anywhere
!192.168.1.1         tcp dpt:www redir ports 8080
   2   118 DNAT       udp  --  br0    any     anywhere
192.168.1.1         udp dpt:domain to:10.250.1.10

Chain POSTROUTING (policy ACCEPT 28 packets, 1822 bytes)
 pkts bytes target     prot opt in     out     source
destination
   3   178 MASQUERADE  all  --  any    ppp0    192.168.1.0/24
anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
#


Site Timeline