Web access protection and iptables
Issue
Web access protection uses nftables to redirect outgoing connections to our scanner, where we scan HTTP traffic.
Some customers observed an issue when WAP interferes with their iptables NAT rules on distributions with kernel earlier than 4.18, for example, CentOS 7. This issue occurs due to a bug in earlier Linux kernels that do not support concurrent NAT rules in both iptables and nftables. See the NAT incompabilities.
|
Centos 7 will reach End of Life in June 2024. |
Workaround 1
Use Linux distribution with kernel 4.18 and later, for example, Rocky Linux 8.
Workaround 2
Transform iptables rules to nftables. See the moving from iptables to nftables article. To ensure that your NAT output chain is applied first for outgoing connections, it is recommended to use a priority number lower than or equal to "-102", as the WAP output NAT chain has a priority of "-101".
If none of the workaround is possible, you have to disable web access protection to let iptables NAT working (not recommended).