Trouble redirecting traffic on transparent bridge.

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have posted this question to the netfilter mailing list along with #ebtables, #iptables, and #netfilter.  Nobody has really responded, so I'm led to believe  
that it is either incredibly complicated or *really* simple.  Please, somebody throw me a bone here!  Ok, on with the show...  
  
  
I have a bridge (br0) with two interfaces (eth1 and eth2).  Neither br0, eth1, or eth2 have an IP address assigned to them.  Eth0 is the only interface with an   
IP.  There is a web server running locally on this bridge configured so that any request sent to it returs the only page.  I'm trying to get all web traffic (port   
80 for now) from certain clients transparently redirected to the local web server.  Basically I want to take traffic from a client matching virii/malware traffic   
and redirect it to a web page that has instructions for disinfection/cleaning.  Also I want to isolate any infected clients traffic to only one side of the   
bridge.  I want to keep these bridges as "transparent" as possible.   
   
Here's what I have tried so far:   
   
# netstat -ln   
Active Internet connections (only servers)   
Proto Recv-Q Send-Q Local Address           Foreign Address         State         
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN   
   
# route -n   
Kernel IP routing table   
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   
172.16.110.0    0.0.0.0         255.255.254.0   U     0      0        0 eth0   
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo   
0.0.0.0         172.16.111.254  0.0.0.0         UG    1      0        0 eth0   
   
   
>From filter:   
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT    
-A FORWARD -p udp -m udp --sport 53 -j ACCEPT    
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT    
-A FORWARD -p tcp -m tcp --sport 53 -j ACCEPT    
-A FORWARD -s $CLIENT_IP -j DROP    
-A icmp-flood -m limit --limit 1/sec -j RETURN    
-A icmp-flood -j DROP    
-A syn-flood -m limit --limit 50/sec --limit-burst 150 -j RETURN    
-A syn-flood -j DROP   
   
>From nat:   
-A PREROUTING -s $CLIENT_IP -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:80   
   
Using the DNAT rule above the traffic can be seen on lo:   
15:09:21.474893 IP 172.16.110.139.1782 > 127.0.0.1.80: S 1919280507:1919280507(0) win 65535 <mss 1460,nop,nop,sackOK>   
15:09:24.427208 IP 172.16.110.139.1782 > 127.0.0.1.80: S 1919280507:1919280507(0) win 65535 <mss 1460,nop,nop,sackOK>   
   
As seen from the client side bridge interface eth2:   
15:09:21.474843 IP 172.16.110.139.1782 > 216.193.202.92.80: S 1919280507:1919280507(0) win 65535 <mss 1460,nop,nop,sackOK>   
15:09:24.427183 IP 172.16.110.139.1782 > 216.193.202.92.80: S 1919280507:1919280507(0) win 65535 <mss 1460,nop,nop,sackOK>   
   
But the kernel sees the traffic as "martian" and disards them:   
Dec  1 15:09:45 xxxxxxxx last message repeated 9 times   
Dec  1 15:11:37 xxxxxxxx kernel: martian destination 127.0.0.1 from 172.16.110.139, dev br0   
Dec  1 15:11:46 xxxxxxxx last message repeated 2 times   
   
Ok, that isn't what I want to see... so I tried using a REDIRECT rule in place of the DNAT rule:   
iptables -t nat -A PREROUTING -p tcp -s 172.16.110.139 --dport 80 -j REDIRECT --to-ports 80   
   
Now the only interface I can see the clients web traffic on is eth2 (the interface on the bridge facing the client).   
tcpdump on eth2:   
15:19:29.280597 IP 172.16.110.139.1791 > 216.193.202.92.80: S 3561515512:3561515512(0) win 65535 <mss 1460,nop,nop,sackOK>   
   
Eth1, br0, and lo don't see any of it, nothing in kernel or apache logs either.  Where is it getting redirected to??   
   
I have tried using 2.6.13, 2.6.14, 2.6.14.3, and 2.6.15-rc4, also tried iptables-1.3.3 and 1.3.4.   
   
Any ideas on what I am doing wrong? What is the correct way to do this?   
   
Thanks in advance.  

-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux