On 2013-04-26 23:18:11 +0000, Tom Eastep said: > That's fascinating, given that I gave you a bad rule. What I wanted you > to do was: > > TPROXY(3129) eth0 !<address of eth0> tcp 80 > > Same with br0: > > TPROXY(3129) br0 !<address of br0> tcp 80
After a bit of playing, it seems that IPv4 wasn't forwarding with the broken rule; however IPv6 did work with: TPROXY(3129) eth2:[!2001:1931:313::1/64] ::/0 tcp 8 I switched to use: TCPROXY(3129) eth0 !192.168.1.1 tcp 80 IPv4 works just fine now, and I imagine the rule being correct can't hurt for IPv6. Still, I have no idea why it was working the way it did. If you're interested, I can collect a shorewall dump for you, but otherwise, I'm fine with just leaving it... That said: I'm still not able to get TPROXY to work with my LXC containers. I'm seeing this in the log, when I try to connect from inside an LXC container: Apr 26 21:09:43 lxc2fw:ACCEPT:IN=br0 OUT= PHYSIN=vethWKjPPy SRC=192.168.2.8 DST=216.34.181.45 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5993 DF PROTO=TCP SPT=37139 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x200 Obviously, nothing else is getting through... I set up some 'info' logging in the shorewall policy, to show anything (or attempts to make) connections between $FW and the lxc zone. The only thing showing up in the log is the http requests being made by the container. I'll make another shorewall dump set, and post them shortly... -- Troy Telford ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
