[ale] potential iptables bug [was Re: sanity check]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Dec 3 19:15:42 EST 2007
On Mon 2007-12-03 17:30:13 -0500, James P. Kinney III wrote:
> So the bug appears to be in the DNAT mapping that is supposed to only
> change the destination IP but appears to also change the source IP.
>
> This failure occurs for ssh and mail and http. All internal machines
> report all incoming traffic and originating from the firewall and not
> From the real source.
can you show the output of:
iptables -vnL
iptables -t nat -vnL
on the firewall? (if you feel the need to anonymize IP addresses,
that's fine, but please keep them distinct from one another --
i.e. don't rewrite 1.2.3.4 as X.X.X.X if you've already written
5.6.7.8 as X.X.X.X)
thanks,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
More information about the Ale
mailing list