PaulDotCom mailing list archives
transparent proxy and iptables failing
From: chris at mewett.net (chris mewett)
Date: Wed, 14 Oct 2009 13:23:58 +1100
Hi Robin, If you forgive a question from a list newbie, is there a reason you need to bridge? Just looking at the tables, it would be counter-intuitive for layer3 names (pre/post routing) to do anything if the network interfaces are forwarding based on layer2. Regards, Chris. On 14/10/2009, Robin Wood <dninja at gmail.com> wrote:
2009/10/7 Will Metcalf <william.metcalf at gmail.com>:iptables should work fine for this, I'm doing exactly what you are tying to accomplish in multiple places. try these rules... where eth0 should be replaced with the interface that your port 80 traffic comes in on.. #redirect web traffic to proxy iptables -t nat -A PREROUTING -m physdev --physdev-in eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 #accept the redirected traffic iptables -A INPUT -p tcp --dport 3128 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #allow all other traffic to move across the bridge ?iptables -A FORWARD -j ACCEPTI've finally found some time to get back to this. After messing around to get physdev working on openwrt I setup rules similar to the above but just to test it I went from DROPing the traffic rather than trying to redirect. Unfortunately it doesn't work. The rules I have in place are # iptables -L -t nat -v Chain PREROUTING (policy ACCEPT 92 packets, 5978 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- any any anywhere anywhere PHYSDEV match --physdev-in br-lan tcp dpt:80 0 0 DROP tcp -- any any anywhere anywhere PHYSDEV match --physdev-in eth0.1 tcp dpt:80 0 0 DROP tcp -- any any anywhere anywhere PHYSDEV match --physdev-in eth0.0 tcp dpt:80 None of them are picking up any web traffic. I've found if I create this rule then the device itself can't access any web traffic but web traffic can still travel over the bridge # iptables -t nat -A POSTROUTING -p tcp --dport 80 -j DROP Doing the same thing on PREROUTING doesn't work # iptables -t nat -A PREROUTING -p tcp --dport 80 -j DROP I'm now going to move over to trying the various techniques suggested with ebtables but if you can suggest anything else to try with this please let me know. Robin _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Chris Mewett chris at mewett.net
Current thread:
- transparent proxy and iptables failing, (continued)
- transparent proxy and iptables failing Will Metcalf (Oct 07)
- transparent proxy and iptables failing Robin Wood (Oct 07)
- transparent proxy and iptables failing Robin Wood (Oct 07)
- transparent proxy and iptables failing Will Metcalf (Oct 07)
- transparent proxy and iptables failing Robin Wood (Oct 07)
- transparent proxy and iptables failing Ben Greenfield (Oct 07)
- transparent proxy and iptables failing Robin Wood (Oct 07)
- transparent proxy and iptables failing Ben Greenfield (Oct 08)
- transparent proxy and iptables failing Robin Wood (Oct 08)
- transparent proxy and iptables failing Will Metcalf (Oct 07)
- transparent proxy and iptables failing Will Metcalf (Oct 07)
- transparent proxy and iptables failing Robin Wood (Oct 13)
- transparent proxy and iptables failing chris mewett (Oct 13)
- Message not available
- transparent proxy and iptables failing Robin Wood (Oct 14)