Hi jan, Many thanks for your reply! I assumed that iptables was seeing the data since I can add a prerouting / postrouting rule that will LOG the port 80 going through iptables? Even if I add the default gateway on the Server(s) to the bridged firewall (instead of the BT router) that this will be non-bridged (and should work), but it will still not work (even though it can log the data and also route it through). What will work is redirecting the data port from say 80 to 22 since this redirects to the local port (on the bridge/router) I can then telnet to the port 80 and receive ssh text. I guess I could install squid locally on the bridge/router (then redirect) but this will not be possible due to the low cpu/space on this machine. I'm sorry to sound dumb, It's been a while since I'v played with iptables and I'm a windows Admin ;-) -----Original Message----- From: Jan Engelhardt [mailto:jengelh@xxxxxxxxxxxxxxx] Sent: 21 March 2007 22:08 To: Ricardo Meechan Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: bridged firewall wont DNAT http to proxy On Mar 21 2007 21:05, Ricardo Meechan wrote: >Subject: bridged firewall wont DNAT http to proxy ^^^^^^^ ^^^^ I can already see your problem in the subject. Having a bridge bypasses Layer3, don't you know? >I want all http 80 traffic that is about to leave the network (entering >the bridged router) to redirect into another server running squid. > >The problem is the routing of data. > >I have tried many options but to no avail. > >I added the following rule to the nat prerouting using only one of the >servers as a source for testing.: > >-A PREROUTING -p tcp -s 194.72.xxx.xxx --dport 80 -j DNAT >--to-destination 192.168.x.x:80 ebtables -t broute -A BROUTING -d 194.72.xxx.xxx --sport 80 -j DROP > >But nothing happens. I tried the destination address as a 194.72 but it >also > >didnt work. > >Routes are all working and the servers/squid/bridge (has a local ip on >br0) can talk to each other ok. ipv4 forwarding is enabled. > > > >I probably haven't been detailed enough but if anyone has any solutions >or require more info then I would really really appreciate your help! > > >Many thanks in advance! > >rico. > ># uname -r >2.6.19-1.2911.6.5.fc6 > > >[root@xxxxxxx~]# ifconfig >br0 Link encap:Ethernet HWaddr 00:02:B3:B4:60:20 > inet6 addr: fe80::202:b3ff:feb4:6020/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:26881 errors:0 dropped:0 overruns:0 frame:0 > TX packets:10798 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:1813830 (1.7 MiB) TX bytes:2222767 (2.1 MiB) > >br0:0 Link encap:Ethernet HWaddr 00:02:B3:B4:60:20 > inet addr:192.168.xxx.xxx Bcast:192.168.1.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > >br0:1 Link encap:Ethernet HWaddr 00:02:B3:B4:60:20 > inet addr:194.72.xxx.xxx Bcast:194.72.111.191 >Mask:255.255.255.240 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > >eth0 Link encap:Ethernet HWaddr 00:02:B3:B4:60:20 > inet6 addr: fe80::202:b3ff:feb4:6020/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:141519 errors:0 dropped:0 overruns:0 frame:0 > TX packets:139218 errors:0 dropped:0 overruns:0 carrier:0 > collisions:1176 txqueuelen:1000 > RX bytes:21761332 (20.7 MiB) TX bytes:111661372 (106.4 MiB) > >eth1 Link encap:Ethernet HWaddr 00:02:B3:B4:60:21 > inet6 addr: fe80::202:b3ff:feb4:6021/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:157758 errors:0 dropped:0 overruns:0 frame:0 > TX packets:143081 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:112414496 (107.2 MiB) TX bytes:21491683 (20.4 MiB) > >lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:50 errors:0 dropped:0 overruns:0 frame:0 > TX packets:50 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:4510 (4.4 KiB) TX bytes:4510 (4.4 KiB) > >iptables: > > > > > > > > Jan --
