Thanks for the quick response Jasbir. Tried doing as you said with no luck, changed dport to port 8080 on the 4th line (see below). Same as before if you remove line 1 the transparent proxy works. iptables -P INPUT DROP ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT Kind Regards William -----Original Message----- From: Jasbir Khehra [mailto:jasbir.k@xxxxxxxxx] Sent: 28 December 2006 18:37 To: William Bohannan Cc: lartc@xxxxxxxxxxxxxxx Subject: Re: filter policy drop and allow transparent proxy William Bohannan wrote: > Trying to use the policy drop rule with the bridged firewall, when I > removed the first line the transparent proxy works great? It seems a > bit strange as from reading several articles on it I thought the > following occurs. > 1st line - if it doest match it gets dropped on the local filter input. > 2nd line - redirects the traffic off the link layer into the network > layer ready for line 3. > 3rd line - redirects the port 80 to 8080 and then goes to the local > process (squid) through the input filter > 4th line - input filter accepts the traffic over riding the global > reject policy. > > iptables -P INPUT DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 > --ip-destination-port 80 -j redirect --redirect-target ACCEPT > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1 > --physdev-out eth0 -j ACCEPT > > Any help would be most welcome. > > Kind Regards > William > > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > The 4th line should look for packets on dport 8080 instead of 80 -Jasbir _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
