Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've got a basic setup where my Linux (Ubuntu) Gateway machine has TinyProxy (transparently) with Dansguardian running on it. All client network traffic gets redirected correctly from port 80 to 8080 but if I VNC into the machine and use firefox it goes directly through port 80 and doesn't get redirected to 8080.
Can you post the script (or iptables rules) you are already using? Also, I have never used VPN, so I might need a little help with that. So I can see what interface(s) VPN is using, can you also post the output of ifconfig (with no parameters)?
When I was doing a similar REDIRECT (different port) from the (nat) OUTPUT chain recently, I found the packets were appearing on one of my ethernet interfaces (according to iptables' LOG function) with both souce and destinations addresses of 127.0.0.1. Accepting all packets on the loopback interface did not accept these packets. So, since you have a DROP policy on the (netfilter) OUTPUT chain, you might need a rule something like:
I don't recall having an analogous problem on the INPUT chain, but if you find that your packets get lost, you might investigate whether you need a corresponding rule there also.
If I've still misunderstood the situation, post back with more info and I'll take another shot at it.
Last edited by blackhole54; 01-06-2009 at 12:51 AM.
Reason: --dport 80 -> --dport 8080
I have successfully used something analogous to what I last posted on a 2.4 kernel. But I recently tried the same thing on a 2.6.17 kernel and I ran into problems. I finally ended up using a rather ugly kludge to do what I wanted. It seems I (somewhat) recently read about some problem finally (after years of being "broken") getting fixed in the kernel and I believe it had something to do with DNAT or REDIRECT. At the time I didn't know what the article was talking about, but I am now wondering whether it was this problem.
Last edited by blackhole54; 01-16-2009 at 02:40 AM.
Reason: typo
I tried the above and it didn't work because I forgot to mention that I have a proxy running on that machine.
So here I have a slight issue, right?
I want to block Firefox on port 80 on the gateway but allow Tinyproxy to connect directly with port 80.
The network-part is working fine.
If it is not possible, I'll just uninstall all browsers on the gateway.
Last edited by Last Attacker; 01-30-2009 at 07:59 AM.
Reason: Added question
You can also filter on --gid-owner. You are supposed to be able to filter on --pid-owner, --sid-owner, and --cmd-owner (the name of the command), but the last I knew those are broken on SMP. --cmd-owner probably isn't a good idea anyway if you have untrusted users on that system since the command name can be spoofed.
I gather you didn't have the problems I mentioned in post #6? For my own information, could you let me know what version kernel you are running?
To be honest, I didn't know that IPtables could exempt processes so this is new to me!
The kernel version I am running is the same one found on the XUbuntu 8.04 release. I haven't updated it. I think its 2.6.24 or something like that, need to make 100% as I am replying from work at the moment.
Thanks so much for your effort in helping me with this small thing!
God Bless!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.