RE: filter policy drop and allow transparent proxy

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for the quick response Jasbir.  Tried doing as you said with no
luck, changed dport to port 8080 on the 4th line (see below).  Same as
before if you remove line 1 the transparent proxy works.


iptables -P INPUT DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
--physdev-out eth0 -j ACCEPT

Kind Regards

William 
-----Original Message-----
From: Jasbir Khehra [mailto:jasbir.k@xxxxxxxxx] 
Sent: 28 December 2006 18:37
To: William Bohannan
Cc: lartc@xxxxxxxxxxxxxxx
Subject: Re:  filter policy drop and allow transparent proxy

William Bohannan wrote:
> Trying to use the policy drop rule with the bridged firewall, when I
> removed the first line the transparent proxy works great?  It seems a
> bit strange as from reading several articles on it I thought the
> following occurs.  
> 1st line - if it doest match it gets dropped on the local filter
input.
> 2nd line - redirects the traffic off the link layer into the network
> layer ready for line 3.
> 3rd line - redirects the port 80 to 8080 and then goes to the local
> process (squid) through the input filter
> 4th line - input filter accepts the traffic over riding the global
> reject policy. 
> 
> iptables -P INPUT DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
> --ip-destination-port 80 -j redirect --redirect-target ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1
> --physdev-out eth0 -j ACCEPT
> 
> Any help would be most welcome.
> 
> Kind Regards
> William
> 
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
The 4th line should look for packets on dport 8080 instead of 80
-Jasbir


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux