On 8/26/10 9:33 AM, Shawn Wright wrote: > > > ----- "Tom Eastep" <[email protected]> wrote: > > >> Squid is accepting the connection. > > I should say, rather, that the connection is being accepted. Because > of listener backlog (second argument to listen(2)), a TCP connection > can be acknowledged without the server actually calling accept(). > > The fact that we don't see an ACK back from the client might indicate > that it is not receiving (or doesn't like) the SYN,ACK response. > This is supported by the conntrack entry I pointed out to you last > evening. Have you run tcpdump (or wireshark) on the client system? > > === The client is not receiving the SYN,ACK response. A tcpdump on > the client shows only the outgoing SYN and nothing else. So it > appears the packets are being dropped on the shorewall box.
Then how in $DEITY's name is tcpdump seeing them leaving the Shorewall box? > What methods can I employ to trace these packets and determine where they > are being dropped? Alternately, is there an "allow all" switch I can > enable to get it working, then trace back what is required to make > this work? (bearing in mind that I still need the REDIRECT from > 80-3128 for all traffic). Let's put the Shorewall configuration issue to bed once in for all: - shorewall clear - iptables -t nat -A PREROUTING -p 6 --dport 80 -j REDIRECT --to-port 3128 Now test -- does it work? If not, I would next use the -e options (e.g., tcpdump -nei eth0 ...) on the Shorewall-less box to see what the link layer destination address of the SYN,ACK is. Does it match that of the client? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
