PaulDotCom mailing list archives
transparent proxy and iptables failing
From: dninja at gmail.com (Robin Wood)
Date: Wed, 7 Oct 2009 16:56:02 +0100
2009/10/7 Will Metcalf <william.metcalf at gmail.com>:
On Wed, Oct 7, 2009 at 3:18 AM, Robin Wood <dninja at gmail.com> wrote:I'm trying to setup a transparent proxy so I've got a linux device with two NICs which are bridged using brctl. Traffic flows happily across the bridge so I know it is working fine. Now when I try to setup the iptables rules they are being ignored. The rule I want to use is: iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j REDIRECT --to-port 3128Hmmm I would suggest you use --physdev-in here instead of -i.... ?iptables -t nat -A PREROUTING -m physdev --physdev-in eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
I've tried it without the -i as well if that makes a difference. I'll try with this pyhysdev next time
but nothing gets redirected. I've also tried changing 3128 to a port that is closed to see what would happen, nothing, the packets kept flowing.Have you allowed this traffic to your local host via input i.e. iptables -A INPUT -m state --state NEW -p tcp --dport 3128 -j ACCEPT This assumes somewhere in your input chain you have something like...... iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
no, but the if the rule was working the DROP would discard all traffic and it doesn't which implies the theory is wrong
I've also tried clearing the list and then adding iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DROP which should kill all web traffic but it doesn't. As a last resort I tried iptables -t nat -A PREROUTING -i br-lan -p tcp -j DROP which should kill all TCP traffic but again, nothing. What am I doing wrong?Traffic moving across the bridge moves across the forward chain, additionally if you want to filter traffic based on a physical interface you have to use physdev so something like... iptables -A FORWARD -p tcp --dport 80 -m physdev --physdev-in eth1 --physdev-out eth0 -j DROP
What is this doing? It looks like a mix of routing port 80 from eth1 to eth0 but then also dropping the traffic. Robin
Current thread:
- transparent proxy and iptables failing Robin Wood (Oct 07)
- transparent proxy and iptables failing Will Metcalf (Oct 07)
- transparent proxy and iptables failing Robin Wood (Oct 07)
- transparent proxy and iptables failing Robin Wood (Oct 07)
- transparent proxy and iptables failing Will Metcalf (Oct 07)
- transparent proxy and iptables failing Robin Wood (Oct 07)
- transparent proxy and iptables failing Ben Greenfield (Oct 07)
- transparent proxy and iptables failing Robin Wood (Oct 07)
- transparent proxy and iptables failing Ben Greenfield (Oct 08)
- transparent proxy and iptables failing Robin Wood (Oct 08)
- transparent proxy and iptables failing Will Metcalf (Oct 07)
- transparent proxy and iptables failing Will Metcalf (Oct 07)
- transparent proxy and iptables failing Robin Wood (Oct 13)
- transparent proxy and iptables failing chris mewett (Oct 13)
- Message not available
- transparent proxy and iptables failing Robin Wood (Oct 14)