1. Home
  2. Embedded Linux
  3. a problem with nat table setting

a problem with nat table setting

Hi,

I am having a problem with the nat table configuration. I am using

2.6.8.1 kernel in a router and also added a http filter proxy which uses port 8080.

Internet ------------ ROUTER(http filter proxy) ---------linux PC. lan ip: 192.168.1.1

192.168.1.2

I have found that if there is a established connection exist between linux PC and the webserver before I start the proxy, and added the iptables nat rules, which can be checked use netstat, the outgoing http packet will not be passed to the proxy, and it seems go out directly. If I leave it untouched (no http activity), and after some time later, that connection is gone, the outgoing http packet will be passed to the proxy again.

Any one know how to solve this problem?

Thanks.

Yong

Here is the iptables configure:

  1. only the one in nat PREROUTING REDIRECT are for the proxy)
  2. ppp0 is wan interface br0 is lan interface. PC is attached to br0.

# iptables -L -v Chain INPUT (policy ACCEPT 3574 packets, 11M bytes) pkts bytes target prot opt in out source destination 22 7554 ACCEPT all -- ppp0 any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT udp -- ppp0 any anywhere anywhere udp dpt:500 0 0 ACCEPT esp -- ppp0 any anywhere anywhere 0 0 ACCEPT !esp -- ppp0 any anywhere anywhere MARK match 0x10000000/0x10000000 0 0 LOG tcp -- ppp0 any anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst

5 LOG level alert prefix `Intrusion -> ' 0 0 DROP all -- ppp0 any anywhere anywhere

Chain FORWARD (policy ACCEPT 43 packets, 13943 bytes) pkts bytes target prot opt in out source destination 37 15118 ACCEPT all -- ppp0 any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT !esp -- ppp0 any anywhere anywhere MARK match 0x10000000/0x10000000 0 0 LOG tcp -- ppp0 any anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst

5 LOG level alert prefix `Intrusion -> ' 0 0 DROP all -- ppp0 any anywhere anywhere

Chain OUTPUT (policy ACCEPT 3456 packets, 11M bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- any ppp0 anywhere

239.255.255.250

# iptables -t nat -L -v Chain PREROUTING (policy ACCEPT 84 packets, 5865 bytes) pkts bytes target prot opt in out source destination 2 120 REDIRECT tcp -- br0 any anywhere !192.168.1.1 tcp dpt:www redir ports 8080 2 118 DNAT udp -- br0 any anywhere

192.168.1.1 udp dpt:domain to:10.250.1.10

Chain POSTROUTING (policy ACCEPT 28 packets, 1822 bytes) pkts bytes target prot opt in out source destination 3 178 MASQUERADE all -- any ppp0 192.168.1.0/24 anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination #

Reply to
yozhang
Loading thread data ...

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.