PaulDotCom mailing list archives
Re: need iptables help
From: Hans Kokx <skipmeister123 () gmail com>
Date: Wed, 26 Dec 2012 09:21:33 -0500
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html#section6 -- Hans Kokx On Wednesday, December 26, 2012 at 9:19 AM, Robin Wood wrote:
On Dec 26, 2012 2:11 PM, "Hans Kokx" <skipmeister123 () gmail com (mailto:skipmeister123 () gmail com)> wrote:I don't think that's true, Robin. When I worked at Barracuda, I supported their web filter. It had a bridged interface, exclusively. It also used iptables for all the rules.If you can suggest a working rule I'll happily be proved wrong. From reading about ebtables it operates at a lower level so can hit the bridge. Robin-- Hans Kokx On Wednesday, December 26, 2012 at 4:11 AM, Robin Wood wrote:On Dec 26, 2012 4:41 AM, "Nik" <foringer () gmail com (mailto:foringer () gmail com)> wrote:You can create bridge interface with "brctl" and manage traffic on it with iptables...I'm looking for the rule to do what I need, everything else is already in place. As far as I can tell iptables doesn't work on bridges. Robin2012/12/24 Robin Wood <robin () digininja org (mailto:robin () digininja org)>:On 24 December 2012 18:09, Robin Wood <robin () digininja org (mailto:robin () digininja org)> wrote:On 23 December 2012 23:50, Robin Wood <robin () digininja org (mailto:robin () digininja org)> wrote:Hi I need an IP tables rule that will catch all traffic going over a network bridge and send anything destined to port 80 to 8080. As the proxy that will be listening on port 8080 will modify some traffic to make it request from the IP of the local machine I'll need the rule to ignore requests to port 80 on the IP of the localhost. This is what I tried as this works with IP forwarding for things like ARP spoofing but this doesn't work in this instance, I think because there is no routing going on, the traffic is just being passed straight through. iptables -t nat -A PREROUTING -p tcp --destination-port 80 ! -d <local-IP> -j REDIRECT --to-port 8080 With this rule in place, if I drop the -d I can get pages being requested from the web server on the local machine to be bounced through the proxy. How do I do it? Got a few good tools going to be based on this if I can get it to workA few people have suggested things but none have worked so far. To work out which chain will affect things I've just tried the following: iptables -A INPUT -p tcp --dport 80 -j DROP iptables -A OUTPUT -p tcp --dport 80 -j DROP iptables -A FORWARD -p tcp --dport 80 -j DROP Which I think should drop all traffic heading towards port 80 but even with those rules in place I'm still able to surf through the bridge. From a previous project I have a feeling that having iptables affect bridge traffic is hard. If the device was routing traffic then the above rules should work but as it is just bridging then it isn't working. RobinI've remembered what I should be doing, I need ebtables not iptables. ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html (http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html) That should get me in the middle. Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com (mailto:Pauldotcom () mail pauldotcom com) http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com (mailto:Pauldotcom () mail pauldotcom com) http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com (mailto:Pauldotcom () mail pauldotcom com) http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com (mailto:Pauldotcom () mail pauldotcom com) http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com (mailto:Pauldotcom () mail pauldotcom com) http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: need iptables help, (continued)
- Re: need iptables help Robin Wood (Dec 23)
- Re: need iptables help Hans Kokx (Dec 23)
- Re: need iptables help Robin Wood (Dec 23)
- Re: need iptables help John Strand (Dec 23)
- Re: need iptables help Robin Wood (Dec 23)
- Re: need iptables help Robin Wood (Dec 24)
- Re: need iptables help Robin Wood (Dec 24)
- Re: need iptables help Nik (Dec 25)
- Re: need iptables help Robin Wood (Dec 26)
- Re: need iptables help Hans Kokx (Dec 26)
- Re: need iptables help Robin Wood (Dec 26)
- Re: need iptables help Hans Kokx (Dec 26)
- Re: need iptables help Robin Wood (Dec 26)
- Re: need iptables help Robin Wood (Dec 24)
- Re: need iptables help Champ Clark III (Dec 26)
- Re: need iptables help Robin Wood (Dec 26)