I have posted this question to the netfilter mailing list along with #ebtables, #iptables, and #netfilter. Nobody has really responded, so I'm led to believe that it is either incredibly complicated or *really* simple. Please, somebody throw me a bone here! Ok, on with the show... I have a bridge (br0) with two interfaces (eth1 and eth2). Neither br0, eth1, or eth2 have an IP address assigned to them. Eth0 is the only interface with an IP. There is a web server running locally on this bridge configured so that any request sent to it returs the only page. I'm trying to get all web traffic (port 80 for now) from certain clients transparently redirected to the local web server. Basically I want to take traffic from a client matching virii/malware traffic and redirect it to a web page that has instructions for disinfection/cleaning. Also I want to isolate any infected clients traffic to only one side of the bridge. I want to keep these bridges as "transparent" as possible. Here's what I have tried so far: # netstat -ln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.16.110.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 172.16.111.254 0.0.0.0 UG 1 0 0 eth0 >From filter: -A FORWARD -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -p udp -m udp --sport 53 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 53 -j ACCEPT -A FORWARD -s $CLIENT_IP -j DROP -A icmp-flood -m limit --limit 1/sec -j RETURN -A icmp-flood -j DROP -A syn-flood -m limit --limit 50/sec --limit-burst 150 -j RETURN -A syn-flood -j DROP >From nat: -A PREROUTING -s $CLIENT_IP -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:80 Using the DNAT rule above the traffic can be seen on lo: 15:09:21.474893 IP 172.16.110.139.1782 > 127.0.0.1.80: S 1919280507:1919280507(0) win 65535 <mss 1460,nop,nop,sackOK> 15:09:24.427208 IP 172.16.110.139.1782 > 127.0.0.1.80: S 1919280507:1919280507(0) win 65535 <mss 1460,nop,nop,sackOK> As seen from the client side bridge interface eth2: 15:09:21.474843 IP 172.16.110.139.1782 > 216.193.202.92.80: S 1919280507:1919280507(0) win 65535 <mss 1460,nop,nop,sackOK> 15:09:24.427183 IP 172.16.110.139.1782 > 216.193.202.92.80: S 1919280507:1919280507(0) win 65535 <mss 1460,nop,nop,sackOK> But the kernel sees the traffic as "martian" and disards them: Dec 1 15:09:45 xxxxxxxx last message repeated 9 times Dec 1 15:11:37 xxxxxxxx kernel: martian destination 127.0.0.1 from 172.16.110.139, dev br0 Dec 1 15:11:46 xxxxxxxx last message repeated 2 times Ok, that isn't what I want to see... so I tried using a REDIRECT rule in place of the DNAT rule: iptables -t nat -A PREROUTING -p tcp -s 172.16.110.139 --dport 80 -j REDIRECT --to-ports 80 Now the only interface I can see the clients web traffic on is eth2 (the interface on the bridge facing the client). tcpdump on eth2: 15:19:29.280597 IP 172.16.110.139.1791 > 216.193.202.92.80: S 3561515512:3561515512(0) win 65535 <mss 1460,nop,nop,sackOK> Eth1, br0, and lo don't see any of it, nothing in kernel or apache logs either. Where is it getting redirected to?? I have tried using 2.6.13, 2.6.14, 2.6.14.3, and 2.6.15-rc4, also tried iptables-1.3.3 and 1.3.4. Any ideas on what I am doing wrong? What is the correct way to do this? Thanks in advance. -- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc