<div>Gday</div>
<div> </div>
<div>Hello one of my server FC11 x64 bit running Tproxy with combination of iptables + ebtables rules during peek hours machine was rash with given such as error "kernel panic " . when i replace tproxy with netfilter and remove ebtables rules just use simple iptables with NAT rules everything was fine. anyone faced this issue before ? find below my configuration </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>Kernel =2.6.29.6-217.2.8.fc11.x86_64</div>
<div>O/S= FC 11 x64 Intel based </div>
<div>iptables= v1.4.3.1</div>
<div>ebtables= v2.0.9-1</div>
<div> </div>
<div>firewall.conf</div>
<div> </div>
<div>#!/bin/sh</div>
<div>IPTABLES=/sbin/iptables<br>EBTABLES=/sbin/ebtables</div>
<div>EXTDEV="eth0"<br>INTDEV="eth1"<br>SERVERIP="xxx.xxx.xxx.15"<br><br>${EBTABLES} -t broute -F<br>${EBTABLES} -t broute -A BROUTING -i $EXTDEV -p ipv4 --ip-protocol tcp --ip-source-port 80 -j redirect --redirect-target DROP<br>
${EBTABLES} -t broute -A BROUTING -i $INTDEV -p ipv4 --ip-protocol tcp --ip-destination-port 80 -j redirect --redirect-target DROP</div>
<div> </div>
<div>${IPTABLES} -F<br>${IPTABLES} -F -t nat<br>${IPTABLES} -F -t mangle</div>
<div>${IPTABLES} -v -t mangle -N DIVERT<br>${IPTABLES} -v -t mangle -A DIVERT -j MARK --set-mark 1<br>${IPTABLES} -v -t mangle -A DIVERT -j ACCEPT</div>
<div>${IPTABLES} -v -t mangle -A PREROUTING -p tcp -m socket -j DIVERT<br>${IPTABLES} -v -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129<br></div>
<div> </div>
<div>${IPTABLES} -I INPUT -s $SERVERIP -i br0 -j REJECT</div>
<div>${IPTABLES} -A INPUT -m state --state INVALID -j DROP<br>${IPTABLES} -A INPUT -s xxx.xxx.xxx.0/24 -j ACCEPT<br>${IPTABLES} -I INPUT -i lo -j ACCEPT<br>${IPTABLES} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br>
${IPTABLES} -A INPUT -j DROP</div>
<div> </div>
<div>ip rule add fwmark 1 lookup 100<br>ip route add local <a href="http://0.0.0.0/0">0.0.0.0/0</a> dev lo table 100</div>
<div><br>sysctl -w net.ipv4.ip_nonlocal_bind=1<br>sysctl -w net.ipv4.ip_forward=1<br></div>
<div> </div>