----- "Tom Eastep" <[email protected]> wrote: > Then how in $DEITY's name is tcpdump seeing them leaving the Shorewall > box? > > > What methods can I employ to trace these packets and determine where > they > > are being dropped? Alternately, is there an "allow all" switch I > can > > enable to get it working, then trace back what is required to make > > this work? (bearing in mind that I still need the REDIRECT from > > 80-3128 for all traffic). > > Let's put the Shorewall configuration issue to bed once in for all: > > - shorewall clear > - iptables -t nat -A PREROUTING -p 6 --dport 80 -j REDIRECT --to-port > 3128 > > Now test -- does it work?
Nope. > If not, I would next use the -e options (e.g., tcpdump -nei eth0 ...) > on > the Shorewall-less box to see what the link layer destination address > of > the SYN,ACK is. Does it match that of the client? Thank you. This was the info I needed to track it down. The DST address indicated a routing problem. Once I fixed this, it works. I did actually look at this output last night, but missed the incorrect DST MAC. ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
