Re: Bridge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/02/17 13:36, Mario Leone wrote:

Dear users,

I have a GPON fiber home connection that consists in 2 apparatus:

- Optical network terminal ( Huawei HG8010H)
- My ISP custom firmware router

The router connects to ONT via WAN port and the traffic is basically ipv4
incapsulated in pppoe session incapsulated in 2 vlan trunk, one for http(s)
one for voip

I want so see the traffic that flows between router and ont so i built a
linux box with 2 ports configurated ad bridge with no ip

ONT ------ eth1[BOX]eth0 ------- Router

The tipical packet that flows had source mac address and destination mac
address of ont and router(depending on the direction) and the rest inside.
I could just put wireshark listening on br0 but I can see only unencrypted
traffic, so I want to do something a little more complicated.

I would intercept traffic on both directions and redirect  it to localhost
proxy with 3 stages:

1) setup ebtables to recognize traffic on http vlan(so all traffic) and
bring it to layer3
2) setup iptables to NAT packet on some ports to be intercepted by my ssl
proxy and leave untouched all other traffic
3) nat traffic back to original destination like it was sent by the router
or vice versa from the server

I failed any attempt to redirect traffic or even log it passing trough the
bridge.
Any help?

Thanks



# First rule is only an optimization.
ebtables -t broute -A BROUTING -d ${my_bridge_mac} -p ipv4 -j redirect --redirect-target DROP 

#Those are the rules to bring http traffic to layer 3
ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP 

# Some more may be needed because your vlan configuration.
When in layer 3. the Router must have routes to reach ONT, the Router and the IPs behind Router. The router needs an IP to ask for ARP in both sides. The proxy (unless in tproxy mode) needs to have an IP to use al source for its packets. Even in tproxy, the proxy needs a source IP to ask NS queries. 


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux