On 04.07.2012 12:49, Daryl Radivojevic wrote:
Hi all,
I have a question about bypassing TProxy intercept.
I am using http://wiki.squid-cache.org/Features/Tproxy4 for
transparent interception of SSL traffic. It works fine.
During operation of the tproxy interception, some sites that users
connect to like banking when discovered are placed in the ebtables
BROUTE table before the DROP rules (as explained in the Tproxy4
document) like this:
# ebtables -t broute -L
-p IPv4 --ip-src 216.52.215.110 --ip-proto tcp --ip-sport 443 -j
ACCEPT
-p IPv4 --ip-dst 216.52.215.110 --ip-proto tcp --ip-dport 443 -j
ACCEPT
etc.
This all works fine.
My concern is when there is a huge amount of such destinations. Is
there a way
to put these tproxy bypass exceptions in its own separate table and
how?
My other question is how to prevent the existing chain counters being
zeroed when
and new destination is added to the chain?
I'll leave someone more familiar with ebtables to answer those specific
questions.
At worst, there is also the option of iptables chains with an ipset
rule bypassing the -j TPROXY target rule. This just means routing those
packets instead of bridging. The resulting asymmetrical route path does
not matter for these packets.
AYJ
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
