[Firewall] NAT Loopback, code review

Eli Wapniarski eli at orbsky.homelinux.org
Thu Oct 11 11:19:10 CEST 2012


K... found another issue. If I try to access internal http services  
from the gateway itself I get connection refused messages.

Eli

Quoting Lonnie Abelbeck <lists at lonnie.abelbeck.com>:

> Hi Eli,
>
> Hmmm, try uncommenting the ip4tables ... NAT_POSTROUTING_CHAIN lines  
> (2 sets of 2 lines each) and see if that fixes it.
>
> Perhaps some sort of redirect at the HTTPS server is not matching  
> the original CONNTRACK ?
>
> Shame to have to also build the NAT_POSTROUTING_CHAIN for these  
> special cases, but so it may be.
>
> Thanks for testing,
>
> Lonnie
>
>
>
> On Oct 11, 2012, at 12:29 AM, Eli Wapniarski wrote:
>
>> Hi Lonnie
>>
>> Yay... Thank you for all the work that you are putting into this. :)
>>
>> The first custom-rule worked like a charm with http and https. I  
>> have not had a
>> chance to test it with other services yet.
>>
>> The second one worked with http, but not with https.
>>
>> Thanks again.
>>
>> Eli
>>
>>
>> On Thursday 11 October 2012 00:20:10 Lonnie Abelbeck wrote:
>>> Hi,
>>>
>>> After further testing it seems the POSTROUTING rules are not  
>>> necessary since
>>> the CONNTRACK is allowing the return path, so rewriting the return seems
>>> unnecessary.
>>>
>>> Also, if the server is in another LAN it is unreachable (by default) unless
>>> a FORWARD hole is created.  This version adds a new variable
>>> NAT_LOOPBACK_FORWARD, if --
>>> NAT_LOOPBACK_FORWARD=1
>>> --
>>> the FORWARD rule to the server is created for all subnets in
>>> NAT_LOOPBACK_NET.
>>>
>>> Attached is the latest version, with optional FORWARD rules added and
>>> commented out POSTROUTING rules.
>>>
>>> Lonnie
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>>
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>




-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the Firewall mailing list