transparent proxy and iptables failing

[bcg at struxural.com (Ben Greenfield)]

I don't see why you would net ebtables for this, I do this with
iptables and bridge-utils without a problem.  I'm curious what your
routing table looks like, as for my setup the routing is integral to
this, and it didn't work until I added what seemed like a gratuitous
route to me.  I just looked at my config, and other than the bridge
name I'm using an identical IP tables command.  If you want I'd be
happy to provide the script that controls my iptables firewall that
has a virtual DMZ, WAN, and LAN interfaces.

Do you mind posting the output of /sbin/route?  It will probably help
us figure this out.


On Wed, Oct 7, 2009 at 12:57 PM, Robin Wood <dninja at gmail.com> wrote:
> 2009/10/7 Will Metcalf <william.metcalf at gmail.com>:
> > iptables should work fine for this, I'm doing exactly what you are
> > tying to accomplish in multiple places.
> >
> > try these rules... where eth0 should be replaced with the interface
> > that your port 80 traffic comes in on..
> >
> > #redirect web traffic to proxy
> > iptables -t nat -A PREROUTING -m physdev --physdev-in eth0 -p tcp
> > --dport 80 -j REDIRECT --to-port 3128
> >
> > #accept the redirected traffic
> > iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
> > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > #allow all other traffic to move across the bridge
> > ?iptables -A FORWARD -j ACCEPT
>
> OK, I'm building the physdev kernel module and will give it a try.
>
> Robin
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com