Tom Eastep wrote:
> Jerry Vonau wrote:
>
...
>>
>> Getting the "squid in loc" to work with "loose" took a bit of effort
>> but that works now. Give me a bit, I'll have some config info that
>> worked for me if you want.
>
> Please -- I haven't tested that configuration.
>
I'll paste together what I brewed up.
>>
>> One a side note:
>>
>> Running /sbin/iptables-restore...
>> iptables-restore v1.4.1.1: host/network `!' not found
>> Error occurred at line: 134
>> Try `iptables-restore -h' or 'iptables-restore --help' for more
>> information.
>> ERROR: iptables-restore Failed. Input is in
>> /var/lib/shorewall/.iptables-restore-input
>> Line 134:
>> -A loc2fw -p 6 --dport 8080 -m conntrack --ctorigdst ! 10.3.0.10 -j
>> ACCEPT
>>
>> editing out this line in rules allows a start:
>>
>> REDIRECT loc 8080 tcp 80 -
>> !10.3.0.10
>>
>> Did I miss something along the journey?
>
> Looks like iptables-restore 1.4.1.1 is broken. That syntax is correct:
>
> /usr/sbin/iptables -m conntrack -h
...
> What happens when you try that on your 1.4.1.1?
>
/sbin/iptables -m conntrack -h
iptables v1.4.1.1
...
conntrack match options:
[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]
State(s) to match
[!] --ctproto proto Protocol to match; by number or name,
e.g. "tcp"
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
Original/Reply source/destination address
[!] --ctorigsrcport port
[!] --ctorigdstport port
[!] --ctreplsrcport port
[!] --ctrepldstport port
TCP/UDP/SCTP orig./reply
source/destination port
[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]
Status(es) to match
[!] --ctexpire time[:time] Match remaining lifetime in seconds against
value or range of values (inclusive)
--ctdir {ORIGINAL|REPLY} Flow direction of packet
Guess it's a bug... off to file it.. fyi:
libnetfilter_conntrack-0.0.89-0.1.svn7356.fc9.i386
iptables-1.4.1.1-1.fc9.i386
2.6.25.9-76.fc9.i686
checking on updates...
Jerry
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
