Re: Tproxy4+squid: ebtables wiki

[Dan <dan@xxxxxxxx>]

Those are the same ebtable and iptable rules that I am using except that 
I use DROP.  If it is working for you then that is great. :) As for why 
it works that way I don't know.  When I use ACCEPT the traffic is 
bridged through and not redirected to squid.

Dan

Marko Kotar wrote:
> Ok
> My ebtable rules are(without -i option):
> ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target ACCEPT
>
>  ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target ACCEPT
>
> This might be the different:
> Bridge is up and it is having an ip address. Ethernet interfaces are up but not having any ip address asigned.
> ifconfig eth0 up promisc
> ...
> bridge interface is configured with dhclient:
> dhclient3 br0
>
> This rules are for the routing;
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> And:
> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables are:
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>
> squid configuration is default, except
> acl allow all
> and port is set to the same address as in iptables, and having TPROXY set.
> I am using: 2.6.28-16-server x86_64 ubuntu, default or compiled ebtables v2.0.9-1 (June 2009), compiled iptables v1.4.5,
> Squid Cache: Version 3.1.0.14
> configure options:  '--enable-linux-netfilter' --with-squid=/home/marko/src/squid-3.1.0.14 --enable-ltdl-convenience
> configured ony with additional linux-netfilter flag
>
> I've used various network configurations:
> -virtual computer using VmBox with virtual interface in the linux bridge on guest pc.
> -computer with two interfaces.
> -double bridged vmbox: two virtual machines: first having 2 virtual interfaces. 
> birdged and having sqiud. second virtual pc being client with one virtual interface. one interface of first was bridged on guest computer to external interface, other two were bridged together.
>
> Drop didn't work in any of them, accept was tested only in first.
>
>
>
>  
> i think thats all the settings i have.
>
>
> --- On Wed, 10/28/09, Dan <dan@xxxxxxxx> wrote:
>
>   
> > From: Dan <dan@xxxxxxxx>
> > Subject: Re:  Tproxy4+squid: ebtables wiki
> > To: "Marko Kotar" <kotarmarko@xxxxxxxxx>, squid-users@xxxxxxxxxxxxxxx
> > Date: Wednesday, October 28, 2009, 9:21 PM
> > Marko Kotar wrote:
> >     
> > > Thanks.
> > >
> > > "redirect
> > >
> > > The redirect target will change the MAC target address
> > >       
> > to that of the bridge device the frame arrived on. This
> > target can only be used in the BROUTING chain of the broute
> > table and the PREROUTING chain of the nat table. In the
> > BROUTING chain, the MAC address of the bridge port is used
> > as destination address, in the PREROUTING chain, the MAC
> > address of the bridge is used.
> >     
> > > --redirect-target target
> > >
> > >      Specifies the standard target.
> > >       
> > After doing the MAC redirect, the rule still has to give a
> > standard target so ebtables knows what to do. The default
> > target is ACCEPT. Making it CONTINUE could let you use
> > multiple target extensions on the same frame. Making it DROP
> > in the BROUTING chain will let the frames be routed. RETURN
> > is also allowed. Note that using RETURN in a base chain is
> > not allowed." 
> >     
> > > I think: If accept is used it goes in the tproxy
> > >       
> > because dst mac is changed to bridge address. (So it goes up
> > as it would if client had  gateway configured to that
> > machine?) But is also should drop work? 
> >     
> > >    
> > >       
> > I decided to test it. I changed my rule to ACCEPT and
> > traffic passes but not through the proxy.  My
> > access.log shows no new traffic after changing the
> > rule.  DROP is what passes the frame off to
> > iptables.  Could you show all your rules?  If
> > squid is receiving the traffic the only thing I can think of
> > is that maybe there is another rule further down the chain
> > that cause the frame to be routed.
> >
> >     
> > > I have tryed drop but it didn't work. I didn't get
> > >       
> > through any traffic.
> >     
> > > If i didn't use any of ebtable rules it went through.
> > > But accept works.  --- On Wed, 10/28/09, Dan
> > >       
> > <dan@xxxxxxxx>
> > wrote:
> >     
> > >    
> > >       
> > > > From: Dan <dan@xxxxxxxx>
> > > > Subject: Re:  Tproxy4+squid: ebtables
> > > >         
> > wiki
> >     
> > > > To: "Marko Kotar" <kotarmarko@xxxxxxxxx>
> > > > Cc: squid-users@xxxxxxxxxxxxxxx
> > > > Date: Wednesday, October 28, 2009, 1:03 AM
> > > > Marko Kotar wrote:
> > > >      
> > > >         
> > > > > Hi,
> > > > > You have incorrect commands in squid wiki for
> > > > >           
> > tproxy4
> >     
> > > > >        
> > > > >           
> > > > ebtables:
> > > >      
> > > >         
> > > > > I figure out that it is not "--redirect-target
> > > > >           
> > DROP"
> >     
> > > > >        
> > > > >           
> > > > but it is  "--redirect-target ACCEPT" .
> > > >      
> > > >         
> > > > >           
> > > > >           
> > > > With ebtables using broute ACCEPT and DROP have
> > > >         
> > special
> >     
> > > > meanings.  DROP means route the frame and
> > > >         
> > ACCEPT means bridge the frame.
> >     
> > > > http://ebtables.sourceforge.net/misc/ebtables-man.html
> > > >
> > > >      
> > > >         
> > > > > There is a "-j REDIRECT" which should be in
> > > > >           
> > lowercase
> >     
> > > > >        
> > > > >           
> > > > letters "-j redirect".
> > > >      
> > > >         
> > > > > Thanks for guide.
> > > > >
> > > > > Marko
> > > > >
> > > > >
> > > > >
> > > > >            
> > > > >           
> >      
> >     
> > > > Dan
> > > >
> > > >
> > > >      
> > > >         
> > >          
> > >       
> >     
>
>
>       
>