Ming-Ching Tiew disse na ultima mensagem: > From: "Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> > >>> Can I simulate a level 4 switch behaviour using Linux ? If yes, >>> any insight to the necessary ebtables/iptables rules ? >> >>Linux policy routing is an example of "layer 4". > > I am wondering if this setup shall be a reason representation of a > so-called > level 4 bridge. This configuration works under both 'tproxy transparent' > as well as 'transparent' mode for squid 2.6 stable 13. seeing clearly the high risk of beeing shooten to death ... but aren't you mixing things here? *layer* 4 and *level* 4 are different things and policy routing eventually is still another for policy routing you do not need a level 4 bridge neither a level 4 switch because any OS with any kind of forwarding capable firewall package can do that and in order to do routing (any) you do not need a bridge setup at all Michel > > Assuming :- > > NETMASK=255.255.192.0 > SQUID_IP=192.168.128.50 > L4_SWITCH_IP=192.168.128.51 > INTERNET_GW=192.168.128.1 > > 1. On the L4 switch create bridge br0 consisting of 3 ethernet interfaces. > > eth1 is connected to internet > eth0 is connected to inside network > eth2 is connected to squid > > # ifconfig eth0 0.0.0.0 promisc up > # ifconfig eth1 0.0.0.0 promisc up > # ifconfig eth2 0.0.0.0 promisc up > # brctl addbr br0 > # brctl addif br0 eth0 > # brctl addif br0 eth1 > # brctl addif br0 eth2 > # ifconfig br0 $L4_SWITCH_IP netmask $NETMASK up > > 2. Set up the bridge to mark the packets so that policy routing works :- > > from inside network go to internet destination port 80, mark 1. > from internet come back with source port 80, mark 1 as well. > > # ebtables -t broute -A BROUTING -i eth0 -p IPv4 --ip-protocol 6 \ > --ip-destination-port 80 -j redirect --redirect-target DROP > # iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 \ > -j MARK --set-mark 1 > > #ebtables -t broute -A BROUTING -i eth1 -p IPv4 --ip-protocol 6 \ > --ip-source-port 80 -j redirect --redirect-target DROP > # iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 80 \ > -j MARK --set-mark 1 > > 3. Set up additional routing table and ip rule :- > > # echo '100 one' > /etc/iproute2/rt_tables > # ip rule add fwmark 1 lookup one > # ip route add default via $SQUID_IP table one > > ( routing table 'one' need only to have one line, ie the default route, > local interface routes will interfere with tproxy ) > > # ip route add default via $INTERNET_GW table main > > Regards. > ... **************************************************** Datacenter Matik http://datacenter.matik.com.br E-Mail e Data Hosting Service para Profissionais. ****************************************************
