[Firewall] NAT Loopback, code review

Eli Wapniarski eli at orbsky.homelinux.org
Thu Oct 11 09:04:06 CEST 2012


I've had the opportunity to test a couple of more services, ftp, ts3.... all 
seem to be working.

Eli

On Thursday 11 October 2012 08:10:06 Eli Wapniarski wrote:
> It worked
> 
> Eli
> 
> On Thursday 11 October 2012 00:50:40 Lonnie Abelbeck wrote:
> > Hi Eli,
> > 
> > Hmmm, try uncommenting the ip4tables ... NAT_POSTROUTING_CHAIN lines (2
> > sets of 2 lines each) and see if that fixes it.
> > 
> > Perhaps some sort of redirect at the HTTPS server is not matching the
> > original CONNTRACK ?
> > 
> > Shame to have to also build the NAT_POSTROUTING_CHAIN for these special
> > cases, but so it may be.
> > 
> > Thanks for testing,
> > 
> > Lonnie
> > 
> > On Oct 11, 2012, at 12:29 AM, Eli Wapniarski wrote:
> > > Hi Lonnie
> > > 
> > > Yay... Thank you for all the work that you are putting into this. :)
> > > 
> > > The first custom-rule worked like a charm with http and https. I have
> > > not
> > > had a chance to test it with other services yet.
> > > 
> > > The second one worked with http, but not with https.
> > > 
> > > Thanks again.
> > > 
> > > Eli
> > > 
> > > On Thursday 11 October 2012 00:20:10 Lonnie Abelbeck wrote:
> > >> Hi,
> > >> 
> > >> After further testing it seems the POSTROUTING rules are not necessary
> > >> since the CONNTRACK is allowing the return path, so rewriting the
> > >> return
> > >> seems unnecessary.
> > >> 
> > >> Also, if the server is in another LAN it is unreachable (by default)
> > >> unless
> > >> a FORWARD hole is created.  This version adds a new variable
> > >> NAT_LOOPBACK_FORWARD, if --
> > >> NAT_LOOPBACK_FORWARD=1
> > >> --
> > >> the FORWARD rule to the server is created for all subnets in
> > >> NAT_LOOPBACK_NET.
> > >> 
> > >> Attached is the latest version, with optional FORWARD rules added and
> > >> commented out POSTROUTING rules.
> > >> 
> > >> Lonnie
> > > 
> > > _______________________________________________
> > > Firewall mailing list
> > > Firewall at rocky.eld.leidenuniv.nl
> > > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > > Arno's (Linux IPTABLES Firewall) Homepage:
> > > http://rocky.eld.leidenuniv.nl
> > 
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the Firewall mailing list