I am trying to implement synproxy to my firewall, on a bridge interface (between eth1 and eth2). Here are my rules:
/usr/local/sbin/iptables -t raw -i PREROUTING -i br0 -m physdev --physdev-in eth1 -p tcp -m tcp --syn -j CT --notrack
/usr/local/sbin/iptables -A FORWARD -i br0 -m physdev --physdev-in eth1 -p tcp -m tcp -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
I have a client connecting to eth1 and http server (192.168.0.1) connecting to eth2.
With these rules, when I try to run curl 192.168.0.1 from the client I got timeout. It seems that the normal tcp request would not pass through.
When I run tcpdump on br0 I don't see any syn-ack and ack packets. Seems all syn packets got lost in the synproxy target.
Any ideas?
Aucun commentaire:
Enregistrer un commentaire