Did exactly what you said and added the following lines to the code to
make:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
--physdev-out eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0
--physdev-out eth1 -j ACCEPT
Still had no luck. The output you asked for:
server1:~# iptables -nvL INPUT
Chain INPUT (policy DROP 35 packets, 2223 bytes)
pkts bytes target prot opt in out source
destination
2 146 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
255 17920 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth0 multiport ports
81,82,3003
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth1 multiport ports
81,82,3003
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8080 PHYSDEV match --physdev-in eth1
--physdev-out eth0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8080 PHYSDEV match --physdev-in eth0
--physdev-out eth1
Kind Regards
William
-----Original Message-----
From: Jasbir Khehra [mailto:jasbir.k@xxxxxxxxx]
Sent: 29 December 2006 08:40
To: lartc@xxxxxxxxxxxxxxx
Cc: William Bohannan
Subject: Re: filter policy drop and allow transparent proxy
William Bohannan wrote:
> Thanks for the quick response Jasbir. Tried doing as you said with no
> luck, changed dport to port 8080 on the 4th line (see below). Same as
> before if you remove line 1 the transparent proxy works.
>
>
> iptables -P INPUT DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
> --ip-destination-port 80 -j redirect --redirect-target ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
> --physdev-out eth0 -j ACCEPT
>
> Kind Regards
>
> William
Need to do some debugging.
Set default INPUT policy to ACCEPT and add various rules in the INPUT
chain (without any target action ) to verify which rules are matching.
for example:
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
--physdev-out eth0
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0
--physdev-out eth1
iptables -A INPUT -p tcp --dport 8080 -i br0
Then check out the output of:
iptables -nvL INPUT
HTH
Jasbir
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
