[Firewall] NAT Loopback, code review

Eli Wapniarski eli at orbsky.homelinux.org
Thu Oct 11 08:10:06 CEST 2012


It worked

Eli

On Thursday 11 October 2012 00:50:40 Lonnie Abelbeck wrote:
> Hi Eli,
> 
> Hmmm, try uncommenting the ip4tables ... NAT_POSTROUTING_CHAIN lines (2 sets
> of 2 lines each) and see if that fixes it.
> 
> Perhaps some sort of redirect at the HTTPS server is not matching the
> original CONNTRACK ?
> 
> Shame to have to also build the NAT_POSTROUTING_CHAIN for these special
> cases, but so it may be.
> 
> Thanks for testing,
> 
> Lonnie
> 
> On Oct 11, 2012, at 12:29 AM, Eli Wapniarski wrote:
> > Hi Lonnie
> > 
> > Yay... Thank you for all the work that you are putting into this. :)
> > 
> > The first custom-rule worked like a charm with http and https. I have not
> > had a chance to test it with other services yet.
> > 
> > The second one worked with http, but not with https.
> > 
> > Thanks again.
> > 
> > Eli
> > 
> > On Thursday 11 October 2012 00:20:10 Lonnie Abelbeck wrote:
> >> Hi,
> >> 
> >> After further testing it seems the POSTROUTING rules are not necessary
> >> since the CONNTRACK is allowing the return path, so rewriting the return
> >> seems unnecessary.
> >> 
> >> Also, if the server is in another LAN it is unreachable (by default)
> >> unless
> >> a FORWARD hole is created.  This version adds a new variable
> >> NAT_LOOPBACK_FORWARD, if --
> >> NAT_LOOPBACK_FORWARD=1
> >> --
> >> the FORWARD rule to the server is created for all subnets in
> >> NAT_LOOPBACK_NET.
> >> 
> >> Attached is the latest version, with optional FORWARD rules added and
> >> commented out POSTROUTING rules.
> >> 
> >> Lonnie
> > 
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the Firewall mailing list