[Firewall] NAT Loopback, code review
eli at orbsky.homelinux.org
Thu Oct 11 11:19:10 CEST 2012
K... found another issue. If I try to access internal http services
from the gateway itself I get connection refused messages.
Quoting Lonnie Abelbeck <lists at lonnie.abelbeck.com>:
> Hi Eli,
> Hmmm, try uncommenting the ip4tables ... NAT_POSTROUTING_CHAIN lines
> (2 sets of 2 lines each) and see if that fixes it.
> Perhaps some sort of redirect at the HTTPS server is not matching
> the original CONNTRACK ?
> Shame to have to also build the NAT_POSTROUTING_CHAIN for these
> special cases, but so it may be.
> Thanks for testing,
> On Oct 11, 2012, at 12:29 AM, Eli Wapniarski wrote:
>> Hi Lonnie
>> Yay... Thank you for all the work that you are putting into this. :)
>> The first custom-rule worked like a charm with http and https. I
>> have not had a
>> chance to test it with other services yet.
>> The second one worked with http, but not with https.
>> Thanks again.
>> On Thursday 11 October 2012 00:20:10 Lonnie Abelbeck wrote:
>>> After further testing it seems the POSTROUTING rules are not
>>> necessary since
>>> the CONNTRACK is allowing the return path, so rewriting the return seems
>>> Also, if the server is in another LAN it is unreachable (by default) unless
>>> a FORWARD hole is created. This version adds a new variable
>>> NAT_LOOPBACK_FORWARD, if --
>>> the FORWARD rule to the server is created for all subnets in
>>> Attached is the latest version, with optional FORWARD rules added and
>>> commented out POSTROUTING rules.
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> Arno's (Linux IPTABLES Firewall) Homepage:
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> Arno's (Linux IPTABLES Firewall) Homepage:
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Firewall