How can I configure linux routing with bridge interfaces to apply iptables rules for tcp packets?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am trying to install a transparent proxy to my current network.
Currently there is only one client machine, directly connected to eth0
of my proxy. eth1 is connected to the switch and goes out from there.
Now eth0 and eth1 is members of a bridge interface and packets are
directly transmitted from one another. For other reasons, I can not
assign IP addresses to these interfaces and use normal IP forwarding.

What I need is, I have a HTTP sniffer on the proxy, to which I want to
send packets with

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
I want to grab these packets from BROUTING chain of BROUTE table. This
is the BROUTE table in ebtables I have configured

*broute
:BROUTING ACCEPT
:NATLOG ACCEPT
-A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 --log-level info
--log-prefix "LOG_BR" --log-ip -j DROP
But none of the packets are received by iptables. I set some log lines
in the iptables itself but they were never executed, thats why I don't
think packets are coming to iptables chains. Heres the iptables filter
table

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    LOG_INP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    LOG_FWD    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain LOG_FWD (1 references)
num  target     prot opt source               destination
1    LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG
flags 0 level 6 prefix `IP_FIL_FWD'

Chain LOG_INP (1 references)
num  target     prot opt source               destination
1    LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG
flags 0 level 6 prefix `IP_FIL_INP'
I expect to at least see the dropped packets from ebtables BROUTING in
the iptables PREROUTING chain of RAW table. But it's as if those
packets are just discarded. Whereas the man pages say dropped packets
from brouting are handed over to higher network layers.

What are the iptables/ebtables rules I have to use for this scenario
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux