[Firewall] NAT Loopback, code review

Lonnie Abelbeck lists at lonnie.abelbeck.com
Thu Oct 11 07:50:40 CEST 2012


Hi Eli,

Hmmm, try uncommenting the ip4tables ... NAT_POSTROUTING_CHAIN lines (2 sets of 2 lines each) and see if that fixes it.

Perhaps some sort of redirect at the HTTPS server is not matching the original CONNTRACK ?

Shame to have to also build the NAT_POSTROUTING_CHAIN for these special cases, but so it may be.

Thanks for testing,

Lonnie



On Oct 11, 2012, at 12:29 AM, Eli Wapniarski wrote:

> Hi Lonnie
> 
> Yay... Thank you for all the work that you are putting into this. :)
> 
> The first custom-rule worked like a charm with http and https. I have not had a 
> chance to test it with other services yet.
> 
> The second one worked with http, but not with https.
> 
> Thanks again.
> 
> Eli
> 
> 
> On Thursday 11 October 2012 00:20:10 Lonnie Abelbeck wrote:
>> Hi,
>> 
>> After further testing it seems the POSTROUTING rules are not necessary since
>> the CONNTRACK is allowing the return path, so rewriting the return seems
>> unnecessary.
>> 
>> Also, if the server is in another LAN it is unreachable (by default) unless
>> a FORWARD hole is created.  This version adds a new variable
>> NAT_LOOPBACK_FORWARD, if --
>> NAT_LOOPBACK_FORWARD=1
>> --
>> the FORWARD rule to the server is created for all subnets in
>> NAT_LOOPBACK_NET.
>> 
>> Attached is the latest version, with optional FORWARD rules added and
>> commented out POSTROUTING rules.
>> 
>> Lonnie
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list