#222 NAT output rule instead of prerouting rule

open
None
5
2014-08-10
2012-05-14
Xuff
No

Hello,

I'm running FWbuilder 5.1.0.3599 on CentOS 6.2.

I'm setting 2 transparent proxies for my internal network, one with FAI DNS, one with OpenDNS DNS to have parental control.

When I set one rule to redirect port 80 to 3128 for my internal network, no problem.
When I set two rules to redirect port 80, to 3128 for a range of my network (/26), and to 3129 for another range, the first rule is set to
IPTABLES -t nat -A OUTPUT -p tcp -m tcp -s RANGE1 --dport 80 -j REDIRECT --to-ports 3128
and the second one to
IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s RANGE2 --dport 80 -j REDIRECT --to-ports 3129
If I manually correct the first rule, everything works as I would like.

Discussion

  • Vadim Kurland

    Vadim Kurland - 2012-05-14

    RANGE1 probably includes the address of the firewall itself. Please check if this is the case. If yes, then this is a bug because compiler should have generated two rules, one in chain OUTPUT to take care of packets generated by the firewall and the other in PREROUTING to translate packets that are forwarded through the firewall.

    Meanwhile, as a workaround, you can modify RANGE1 to make it not include address of the firewall.

     
  • Vadim Kurland

    Vadim Kurland - 2012-05-14
    • assigned_to: nobody --> vkurland
     
  • Xuff

    Xuff - 2012-05-15

    Thanks for your answer.

    Yes RANGE1 includes the address of the firewall. I thought about it when going to work this morning. I'll make a try by excluding it this as you suggested this evening and let you know.

     
  • Xuff

    Xuff - 2012-05-15

    Hi,

    The suggested workaround works fine for what I wanted to do: firewall address is now excluded from RANGE1, and I get several PREROUTING rules (2/31, 4/30, 8/29, 16/28, 32/27).

    Thanks for all

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks