On Wed, Oct 09, 2024 at 12:30:00PM +0200, Peter Andersson wrote: > Hi! > > I'm having a problem that I can't get my head around. > We have a webserver that runs both http and https. I have no problems > connecting to it from external networks. But when I try to connect to it > locally via https I get the following kernel error: > > IPv4: host 10.10.10.238/if3 ignores redirects for 10.10.10.90 to 10.10.10.90
That says that the gateway thinks that the .238 host (the client browser) should have connected directly to the .90 host, rather than expecting the gateway to forward the packet. Maybe because the client thinks its subnet is smaller(/32) than the gateway (?). Anyway I think means that the gateway sent an ICMP redirect to the client, but the client continued to send more packets to the gateway to be forwarded. That's not surprising, I don't think it's an 'error', and may not be the cause of your problem. You should probably add logging to be sure the rules are hit as you expect: DNAT:info:http [...] DNAT:info:https [...] I'd also suggest to run tcpdump on the .90 host, to see whether the packets are being received, and with what source address, and whether they're being replied to. And: are you sure these ACCEPT rules aren't being hit *instead* of the DNAT rules to the .90 host (from net and not from loc). > #Web > ACCEPT net fw tcp 80 > ACCEPT net fw tcp 443 > #Web(DNAT) net lan:10.10.10.90 > DNAT net lan:10.10.10.90:80 tcp 80 - > DNAT net lan:10.10.10.90:443 tcp 443 - > DNAT net lan:10.10.10.55:8081 tcp 8081 - > > #Allow local web > DNAT lan lan:10.10.10.90 tcp 80 - 1.1.1.1 > DNAT gw lan:10.10.10.90 tcp 80 - 1.1.1.1 > > #Web local SSL > DNAT lan lan:10.10.10.90 tcp 443 - 1.1.1.1 > DNAT gw lan:10.10.10.90 tcp 443 - 1.1.1.1 -- Justin _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
