ebtables broute DROP problem in production environment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

  Hi all,

  I'm trying to use ebtables/iptables to implement a tproxy-squid on my network.

  I have a bridge-setup, with eth0 facing the user and eth1 facing the internet.

  Everything works great when I have an user connected with a
cross-over cable on eth0.

  But when I plug eth0 on the production environment network (which
uses multiple VLANs, one for the users and another for the internet),
http traffic stop working (ie. doesn't get routed to squid).

  We use a Cisco switch 2690 (layer 2).

  I'm trying to figure out what's wrong with my setup:

uname -r : 2.6.29.6
ebtables --version : ebtables v2.0.9-1 (June 2009)
iptables --version : iptables v1.4.3.2

Rules applied:

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING  -i eth0 -p tcp --dport 80  -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3128
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP

 cd /proc/sys/net/bridge/
 for i in *
 do
   echo 0 > $i
 done
 unset i

brctl stp br0 off
brctl setfd br0 1
brctl sethello br0 1
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
echo 1 >  /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
echo 1 >  /proc/sys/net/ipv4/tcp_low_latency
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter

  What am I missing?

  FYI, I tried using 2.6.32.2 and didn't work the ebtables even with
cross-over dummy client. Same with 2.6.33-rc1 and -rc1-git3.  The
kernel 2.6.29.6 was the only one I tried that worked correctly.

  If you need any other info, please let me know.

  Thanks in advance!

Felipe Damasio
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux