transparent proxy and iptables failing

[william.metcalf at gmail.com (Will Metcalf)]

On Wed, Oct 7, 2009 at 3:18 AM, Robin Wood <dninja at gmail.com> wrote:
> I'm trying to setup a transparent proxy so I've got a linux device
> with two NICs which are bridged using brctl. Traffic flows happily
> across the bridge so I know it is working fine.
>
> Now when I try to setup the iptables rules they are being ignored. The
> rule I want to use is:
>
> iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j REDIRECT
> --to-port 3128

Hmmm I would suggest you use --physdev-in here instead of -i....
 iptables -t nat -A PREROUTING -m physdev --physdev-in eth1 -p tcp
--dport 80 -j REDIRECT --to-port 3128

> but nothing gets redirected. I've also tried changing 3128 to a port
> that is closed to see what would happen, nothing, the packets kept
> flowing.

Have you allowed this traffic to your local host via input i.e.

iptables -A INPUT -m state --state NEW -p tcp --dport 3128 -j ACCEPT

This assumes somewhere in your input chain you have something like......
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

> I've also tried clearing the list and then adding
>
> iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DROP
>
> which should kill all web traffic but it doesn't. As a last resort I tried
>
> iptables -t nat -A PREROUTING -i br-lan -p tcp -j DROP
>
> which should kill all TCP traffic but again, nothing.
>
> What am I doing wrong?

Traffic moving across the bridge moves across the forward chain,
additionally if you want to filter traffic based on a physical
interface you have to use physdev so something like...

iptables -A FORWARD -p tcp --dport 80 -m physdev --physdev-in eth1
--physdev-out eth0 -j DROP


> Robin
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com