This is long I appreciate you patience. I am using squid in a Linux box setting up as a bridge, and have set up ebtables and iptables following the documentation available on the Net :- ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t tproxy -A PREROUTING -i br0 -p tcp --dport 80 \ -j TPROXY --on-port 80 # this don't seem to have impact by I have put in anyway for i in /proc/sys/net/ipv4/conf/*/rp_filter do echo 0 > $i done On a brief glance it seems it's working properly but upon detail investigation, there are some issues. This is my observation :- If I place the Bridge/Squid S in a subnet A before the default internet gateway D, then all the machines inside the same subnet A can be serviced by the squid cache engine. Sniffing confirmed that the source IP has been spoofed by Bridge/Squid S. However, if there is a subnet B, which is connected to subnet A, via a router R, then all the machines inside subnet B will have problem getting the http reply packets but http request packets have no problem going out. Note that none-http packets because it has not been redirected by the ebtable rules, have no problem at all. This shows that the routing outside of the Bridge/Squid, have all been set up correctly. Then I added a route inside the Bridge/Squid S for the subnet B via router R, then the web request/reply problem is solved. It seems then to me that the http reply ( source port 80 ) has also be directed ***INTO*** the Bridge/Squid S. Why is that so ? Why didn't the Bridge/Squid forward the reply packet to the other side of the interface ? I am looking for something more transparent. Any insight is much appreciated. p/s :- The logs I capture using tcpdump on the squid machine before and after I added the route. Network B 10.6.1.0/24, Network A 192.168.128.0/18, Router R 10.6.1.1<-->192.168.128.50, Squid 192.168.128.20. Before :- squid:~> tcpdump -ni br0 host 10.6.1.2 and port 80 tcpdump: WARNING: br0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br0, link-type EN10MB (Ethernet), capture size 68 bytes 09:06:12.974206 IP 10.6.1.2.39895 > 192.168.128.20.80: S 3302818155:3302818155(0) win 5840 <mss 1460,sackOK,timestamp 13603778[|tcp]> 09:06:12.974252 IP 66.249.89.99.80 > 10.6.1.2.39895: S 3648928734:3648928734(0) ack 3302818156 win 5792 <mss 1460,sackOK,timestamp 18102136[|tcp]> 09:06:15.974464 IP 10.6.1.2.39895 > 192.168.128.20.80: S 3302818155:3302818155(0) win 5840 <mss 1460,sackOK,timestamp 13604528[|tcp]> 09:06:15.974492 IP 66.249.89.99.80 > 10.6.1.2.39895: S 3648928734:3648928734(0) ack 3302818156 win 5792 <mss 1460,sackOK,timestamp 18102886[|tcp]> 09:06:16.233344 IP 66.249.89.99.80 > 10.6.1.2.39893: S 3551948981:3551948981(0) ack 3215288824 win 5792 <mss 1460,sackOK,timestamp 18102951[|tcp]> 0 squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes 09:03:46.982444 IP 66.249.89.104.80 > 10.6.1.2.48082: S 3479803592:3479803592(0) ack 3133545990 win 5792 <mss 1460,sackOK,timestamp 18065645[|tcp]> 09:03:49.982585 IP 66.249.89.104.80 > 10.6.1.2.48082: S 3479803592:3479803592(0) ack 3133545990 win 5792 <mss 1460,sackOK,timestamp 18066395[|tcp]> 09:03:50.334072 IP 66.249.89.104.80 > 10.6.1.2.48082: S 3479803592:3479803592(0) squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes 09:03:46.982444 IP 66.249.89.104.80 > 10.6.1.2.48082: S 3479803592:3479803592(0) ack 3133545990 win 5792 <mss 1460,sackOK,timestamp 18065645[|tcp]> 09:03:49.982585 IP 66.249.89.104.80 > 10.6.1.2.48082: S 3479803592:3479803592(0) ack 3133545990 win 5792 <mss 1460,sackOK,timestamp 18066395[|tcp]> 09:03:50.334072 IP 66.249.89.104.80 > 10.6.1.2.48082: S 3479803592:3479803592(0) After I added a route :- squid:~> ip route add 10.6.1.0/24 via 192.168.128.50 squid:~> tcpdump -ni br0 host 10.6.1.2 and port 80 tcpdump: WARNING: br0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br0, link-type EN10MB (Ethernet), capture size 68 bytes 09:12:55.957274 IP 10.6.1.2.47574 > 192.168.128.20.80: S 3726051898:3726051898(0) win 5840 <mss 1460,sackOK,timestamp 13704510[|tcp]> 09:12:55.957398 IP 66.249.89.147.80 > 10.6.1.2.47574: S 4058179260:4058179260(0) ack 3726051899 win 5792 <mss 1460,sackOK,timestamp 18202862[|tcp]> 09:12:55.957777 IP 10.6.1.2.47574 > 192.168.128.20.80: . ack 4058179261 win 92 <nop,nop,timestamp 13704510 18202862> squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes 09:12:55.962016 IP 10.6.1.2.43328 > 66.249.89.99.80: S 4071804540:4071804540(0) win 5840 <mss 1460,sackOK,timestamp 18202863[|tcp]> 09:12:56.403123 IP 66.249.89.99.80 > 10.6.1.2.43328: S 3907206245:3907206245(0) ack 4071804541 win 8472 <mss 1412,nop,nop,sackOK,nop,wscale 0,nop,nop,[|tcp]> squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes 09:12:55.962016 IP 10.6.1.2.43328 > 66.249.89.99.80: S 4071804540:4071804540(0) win 5840 <mss 1460,sackOK,timestamp 18202863[|tcp]> 09:12:56.403123 IP 66.249.89.99.80 > 10.6.1.2.43328: S 3907206245:3907206245(0) ack 4071804541 win 8472 <mss 1412,nop,nop,sackOK,nop,wscale 0,nop,nop,[|tcp]> 09:12:56.403155 IP 10.6.1.2.43328 > 66.249.89.99.80: . ack 1 win 46 <nop,nop,timestamp 18202973 41623216> 09:12:56.403560 IP 10.6.1.2.43328 > 66.249.89.99.80: P 1:1400(1399) ack 1 win 46 <nop,nop,timestamp 18202974 41623216> 0
