----- Original Message ----- > From: Eliezer Croitoru <eliezer@xxxxxxxxxxxx> > > so what you just need for ebtables is two rules: > all packets the are destined to the web om port 80.. route them into the machine... later will be intercepted by tproxy > so: > ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-protocol tcp \ --ip-destination-port 80 -j redirect --redirect-target DROP > and every packet that comes from the internet from port 80 (web server) should be always get to the proxy as it's an > answer to squid request either tproxy or intercept. > the only difference with intercept mode is that: > the packet that comes back from the internet destination is the proxy and on any case the bridge will send it to the > proxy. > so to intercept web answers to the proxy you need the rules: > ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-protocol tcp \ > --ip-source-port 80 -j redirect --redirect-target DROP > > and that is it for the bridge. Your rules are essentially the same as mine and I don't see how it that different, maybe I am just missed the point. The reason you see many more rules than is needed because I want to make them the connection symmetric so that it does not matter which ethX is the upstream, and which is the down stream, ie whichever port you plug into it will still work. And I have specifically confirmed that the other two additional rules have no traffic.
