ICS и заворачивание пакетов

[Klubnikin]

Здравствуйте, подскажите пожалуйста почему маршрутизация идет как через прокси, так и мимо него?

(Нажмите, чтобы показать/скрыть)

iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dport 80,8080 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -P FORWARD DROP
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW ! -i eth0 -j ACCEPT
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT ! -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,80,447,110,25 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

До этого правило
iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dport 80,8080 -j REDIRECT --to-ports 3128  работало четко

(Нажмите, чтобы показать/скрыть)

# Generated by iptables-save v1.4.4 on Fri Sep 10 10:49:55 2010
*mangle
:PREROUTING ACCEPT [2706:1012276]
:INPUT ACCEPT [2686:1010758]
:FORWARD ACCEPT [20:1518]
:OUTPUT ACCEPT [3049:1758527]
:POSTROUTING ACCEPT [3136:1768791]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Sep 10 10:49:55 2010
# Generated by iptables-save v1.4.4 on Fri Sep 10 10:49:55 2010
*filter
:INPUT DROP [173:22066]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3080:1761239]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22,80,447,110,25 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i eth0 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Fri Sep 10 10:49:55 2010
# Generated by iptables-save v1.4.4 on Fri Sep 10 10:49:55 2010
*nat
:PREROUTING ACCEPT [188:21176]
:POSTROUTING ACCEPT [18:2390]
:OUTPUT ACCEPT [100:7944]
-A PREROUTING -i eth1 -p tcp -m multiport --dports 80,8080 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Sep 10 10:49:55 2010

На проксе стоит squid

Заранее спасибо

[Mam(O)n]

так и мимо него?

Потому, что:

-A FORWARD ! -i eth0 -m conntrack --ctstate NEW -j ACCEPT

[Klubnikin]

Мерсибо большое. Выручил здорово.