On 12/23/2012 08:42 PM, Steve Wray wrote: >> Do you see the obvious problem with this rule from your dump output? >> Chain PREROUTING (policy ACCEPT 1361 packets, 464K bytes) >> pkts bytes target prot opt in out source >> destination >> 1361 464K tcpre all * * ::/0 ::/0 >> 0 0 divert tcp he-ipv6 * ::/0 >> ::/128 tcp spt:80flags:! 0x17/0x02 socket --transparent >> 0 0 TPROXY tcp eth1 * ::/0 >> ::/128 tcp dpt:80 TPROXY redirect :::3128 mark 0x200/0x200 > >> Look at the destination column. That is the all-zero address. > >> That goes back to your tcrules: > >> TPROXY(3128,::1) eth1 :: tcp 80 > > Yes I see this. > > But I don’t know how this tcpre rule gets there. I don’t think that I > explicitly request it in my shorewall6 configuration. > > My tcrules file contains only > > FORMAT 2 > > DIVERT he-ipv6 :: tcp - 80 > > TPROXY(3128) eth1 :: tcp 80 >
And that is WRONG! > > Which is exactly as suggested in the documentation. > > http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY > > and so far as I can tell I’m following this very closely. > No! That documentation uses 0.0.0.0/0 in the DEST column. The IPv6 equivalent is ::/0 -- you have coded :: which is ::/128. > > > So Shorewall6 must be inferring that I want this rule. > No -- Shorewall6 is doing exactly what you are asking it to do. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
