Servus all,
Incerc sa optimizez un firewall + transparent proxy, si ma lovesc de
urmatoarea problema: nu pot sa apelez un chain "user-defined" din
tabela nat, chainul PREROUTING. Am sapat cateva ore prin mapage-uri si
Google, si nu am gasit informatia ca Nu Se Poate Asa Ceva.
Ba dimpotriva, deduc ca trebe sa se poata, din moment ce la targetul
DNAT zice "This target is only valid in the nat table, in the
PREROUTING and OUTPUT chains, and user-defined chains which are only
called from those chains."
Asadar, problema se manifesta asa:
[EMAIL PROTECTED] ~]# iptables -N filtru
[EMAIL PROTECTED] ~]# iptables -t nat -A PREROUTING -j filtru
iptables v1.3.7: Couldn't load target
`filtru':/lib/iptables/libipt_filtru.so: cannot open shared object
file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
In schimb, din filter/INPUT pot sa apelez chainul:
[EMAIL PROTECTED] ~]# iptables -A INPUT -j filtru
[EMAIL PROTECTED] ~]#
In consecinta, nu pot adauga reguli cu target DNAT sau REDIRECT in
chainul asta ("filtru"):
[EMAIL PROTECTED] ~]# iptables -A filtru -p tcp --dport 80 -j REDIRECT
--to-ports 3128
iptables: Invalid argument
Problema apare pe cel putin 4 (sau 5, YMMV) masini:
- laptopul meu, Fedora 7 vanilla, aprox up-to-date (iptables 1.3.7,
kernel 2.6.21)
- un server CentOS 4.4 vanilla, cam sarit de la update-uri (iptables
1.2.11, kernel 2.6.9-42)
- acelasi server, dupa yum update (CentOS 4.5, iptables 1.2.11, kernel 2.6.9-55)
- al doilea server, Fedora Core 2 vanilla (iptables 1.2.9, kernel 2.6.10)
- alt treilea server, CentOS 5 customized, (iptables 1.3.5, kernel
2.6.18, imq patch + l7filter patch)
Deci, vorba ceea, "wtf ??"
--
www.flo.ro
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
