johan firdianto wrote:
Hi Amos,
I already found solution from balabit mailing list,
here additional step
ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP
ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
redirect --redirect-target DROP
cd /proc/sys/net/bridge/
for i in *
do
echo 0 > $i
done
unset i
And it works.
I think above step need to added to wiki for bridge case.
Thanks.
Aha, just found that in my mail archives from a week ago too.
The Balabit message from 'trasor'?
He was seeing noticeable speed issues, how are you finding it?
Amos
On Wed, Jul 8, 2009 at 1:07 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote:
johan firdianto wrote:
You're right Jefrries,
after compiling connection tracking NAT, it doesn't make sense.
I mean, i can't see my browsing log in access.log
no error in cache.log
counter iptables is incrementing. But I still can browse. When i dump
the packet, no header squid appended at response, so the response
didn't come from squid.
how to check that packet from iptables hits squid ?.
or in bridging environment need different solution ?
Looking for an answer for you I found an old tutorial that may still have
some relevance. The rest is long and non-relevant so I quote the bridging
portion:
"Bridge Setup
We configure our system as a network bridge, which means that it sits
between two physical devices on our network and relays the packets between
them. However, there's a twist: we intercept certain packets (those destined
for port 80) and shunt them to Squid for processing.
You'll need two ethernet cards in your machine to bridge between (one "in"
and one "out", as it were). You can use another card for a management IP
address, or you can actually assign an address to the bridge itself and
reach the machine just as you would a "real" interface.
In order to set up the bridge, we need to make a few tweaks to the system.
First, we need to install some software that's necessary for setting up a
bridge:
apt-get install bridge-utils
Next, edit /etc/network/interfaces. You should already have a stanza for a
statically configured interface (e.g., eth0). Keep the settings for the
stanza, but replace the interface name with br0. Also, add the line
bridge_ports ethXXX ethYYY to add them to the bridge. For example:
auto br0
iface br0 inet static
bridge_ports eth0 eth1
address 192.168.0.100
netmask 255.255.255.0
gateway 192.168.0.1
Additionally, if your setup is like ours you'll need to add some routing to
the box so it knows where to send packets. Our Squid box sits just between
our firewall/router and LAN. Thus, it needs to be told how to route packets
to the LAN and packets to the outside world. We do this by specifying the
firewall as the "gateway" in the interfaces file, and adding a static route
for our LAN. Thus, you would add the following lines to
/etc/network/interfaces in the br0 stanza:
up route add -net 192.168.1.0/24 gw 192.168.1.1
down route del -net 192.168.1.1/24 gw 192.168.1.1
We'll need to tell the kernel that we're going to forward packets, so make
sure the following are set in /etc/sysctl.conf:
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1
Once you're all set, the easiest thing to do is reboot for the bridge config
to take effect. The other settings should now be working also. cat
/proc/sys/net/ipv4/ip_forward to confirm that the machine is in forwarding
mode.
"
iptables appeared to be setup as per normal on top of that.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
Current Beta Squid 3.1.0.9
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
Current Beta Squid 3.1.0.9
