Hi Amos, I already found solution from balabit mailing list, here additional step ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i And it works. I think above step need to added to wiki for bridge case. Thanks. On Wed, Jul 8, 2009 at 1:07 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote: > johan firdianto wrote: >> >> You're right Jefrries, >> >> after compiling connection tracking NAT, it doesn't make sense. >> I mean, i can't see my browsing log in access.log >> no error in cache.log >> counter iptables is incrementing. But I still can browse. When i dump >> the packet, no header squid appended at response, so the response >> didn't come from squid. >> how to check that packet from iptables hits squid ?. >> or in bridging environment need different solution ? > > > Looking for an answer for you I found an old tutorial that may still have > some relevance. The rest is long and non-relevant so I quote the bridging > portion: > > "Bridge Setup > > We configure our system as a network bridge, which means that it sits > between two physical devices on our network and relays the packets between > them. However, there's a twist: we intercept certain packets (those destined > for port 80) and shunt them to Squid for processing. > > You'll need two ethernet cards in your machine to bridge between (one "in" > and one "out", as it were). You can use another card for a management IP > address, or you can actually assign an address to the bridge itself and > reach the machine just as you would a "real" interface. > > In order to set up the bridge, we need to make a few tweaks to the system. > First, we need to install some software that's necessary for setting up a > bridge: > > apt-get install bridge-utils > > Next, edit /etc/network/interfaces. You should already have a stanza for a > statically configured interface (e.g., eth0). Keep the settings for the > stanza, but replace the interface name with br0. Also, add the line > bridge_ports ethXXX ethYYY to add them to the bridge. For example: > > auto br0 > iface br0 inet static > bridge_ports eth0 eth1 > address 192.168.0.100 > netmask 255.255.255.0 > gateway 192.168.0.1 > > Additionally, if your setup is like ours you'll need to add some routing to > the box so it knows where to send packets. Our Squid box sits just between > our firewall/router and LAN. Thus, it needs to be told how to route packets > to the LAN and packets to the outside world. We do this by specifying the > firewall as the "gateway" in the interfaces file, and adding a static route > for our LAN. Thus, you would add the following lines to > /etc/network/interfaces in the br0 stanza: > > up route add -net 192.168.1.0/24 gw 192.168.1.1 > down route del -net 192.168.1.1/24 gw 192.168.1.1 > > We'll need to tell the kernel that we're going to forward packets, so make > sure the following are set in /etc/sysctl.conf: > > net.ipv4.conf.default.rp_filter=1 > net.ipv4.conf.default.forwarding=1 > net.ipv4.conf.all.forwarding=1 > > Once you're all set, the easiest thing to do is reboot for the bridge config > to take effect. The other settings should now be working also. cat > /proc/sys/net/ipv4/ip_forward to confirm that the machine is in forwarding > mode. > " > > iptables appeared to be setup as per normal on top of that. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 > Current Beta Squid 3.1.0.9 >
