PaulDotCom mailing list archives
Re: need iptables help
From: Robin Wood <robin () digininja org>
Date: Wed, 26 Dec 2012 14:26:10 +0000
On Dec 26, 2012 2:22 PM, "Hans Kokx" <skipmeister123 () gmail com> wrote:
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html#section6
As I said, I think ebtables and not iptables is the way to go. Robin
-- Hans Kokx On Wednesday, December 26, 2012 at 9:19 AM, Robin Wood wrote:On Dec 26, 2012 2:11 PM, "Hans Kokx" <skipmeister123 () gmail com> wrote:I don't think that's true, Robin. When I worked at Barracuda, I
supported their web filter. It had a bridged interface, exclusively. It also used iptables for all the rules.
If you can suggest a working rule I'll happily be proved wrong. From reading about ebtables it operates at a lower level so can hit the
bridge.
Robin-- Hans Kokx On Wednesday, December 26, 2012 at 4:11 AM, Robin Wood wrote:On Dec 26, 2012 4:41 AM, "Nik" <foringer () gmail com> wrote:You can create bridge interface with "brctl" and manage traffic on
it
with iptables...I'm looking for the rule to do what I need, everything else is
already in place.
As far as I can tell iptables doesn't work on bridges. Robin2012/12/24 Robin Wood <robin () digininja org>:On 24 December 2012 18:09, Robin Wood <robin () digininja org> wrote:On 23 December 2012 23:50, Robin Wood <robin () digininja org>
wrote:
Hi I need an IP tables rule that will catch all traffic going over
a
network bridge and send anything destined to port 80 to 8080.
As the
proxy that will be listening on port 8080 will modify some
traffic to
make it request from the IP of the local machine I'll need the
rule to
ignore requests to port 80 on the IP of the localhost. This is what I tried as this works with IP forwarding for
things like
ARP spoofing but this doesn't work in this instance, I think
because
there is no routing going on, the traffic is just being passed straight through. iptables -t nat -A PREROUTING -p tcp --destination-port 80 ! -d <local-IP> -j REDIRECT --to-port 8080 With this rule in place, if I drop the -d I can get pages being requested from the web server on the local machine to be bounced through the proxy. How do I do it? Got a few good tools going to be based on this if I can get it
to work
A few people have suggested things but none have worked so far.
To
work out which chain will affect things I've just tried the
following:
iptables -A INPUT -p tcp --dport 80 -j DROP iptables -A OUTPUT -p tcp --dport 80 -j DROP iptables -A FORWARD -p tcp --dport 80 -j DROP Which I think should drop all traffic heading towards port 80
but even
with those rules in place I'm still able to surf through the
bridge.
From a previous project I have a feeling that having iptables
affect
bridge traffic is hard. If the device was routing traffic then
the
above rules should work but as it is just bridging then it isn't working. RobinI've remembered what I should be doing, I need ebtables not
iptables.
ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html That should get me in the middle. Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: need iptables help, (continued)
- Re: need iptables help Hans Kokx (Dec 23)
- Re: need iptables help John Strand (Dec 23)
- Re: need iptables help Robin Wood (Dec 23)
- Re: need iptables help Robin Wood (Dec 24)
- Re: need iptables help Robin Wood (Dec 24)
- Re: need iptables help Nik (Dec 25)
- Re: need iptables help Robin Wood (Dec 26)
- Re: need iptables help Hans Kokx (Dec 26)
- Re: need iptables help Robin Wood (Dec 26)
- Re: need iptables help Hans Kokx (Dec 26)
- Re: need iptables help Robin Wood (Dec 26)
- Re: need iptables help Robin Wood (Dec 24)
- Re: need iptables help Champ Clark III (Dec 26)
- Re: need iptables help Robin Wood (Dec 26)