Bridge with iptables

Bridge with iptables

[hare ram]

Hi

iam trying to setup a bridge with iptable
i have setup the transparent bridge,

and iam try to mark the http packets for QOS
iam not able to see the packets

i was going through the Lartc.org
some where i read at this stage ( kernel 2.4.18-27 Redhat iam using) bridge
will not support iptables.
it will support only on kernel 2.5, is this true

if false, where can i get the right documentation which help me to setup
bridge with packet filtering

thanks in advance for the help

hare

Re: Bridge with iptables

[Joel Newkirk]

On Thursday 03 April 2003 09:44 am, hare ram wrote:
> Hi
>
> iam trying to setup a bridge with iptable
> i have setup the transparent bridge,
>
> and iam try to mark the http packets for QOS
> iam not able to see the packets
>
> i was going through the Lartc.org
> some where i read at this stage ( kernel 2.4.18-27 Redhat iam using)
> bridge will not support iptables.
> it will support only on kernel 2.5, is this true
>
> if false, where can i get the right documentation which help me to
> setup bridge with packet filtering

It is possible to patch the 2.4.x kernel.  Then you select "802.1d 
Ethernet Bridging" and "netfilter (firewalling) support" when 
configuring the kernel.

You need to download the br-nf patch and patch the kernel source with it.  
It is available at:
http://bridge.sourceforge.net/

The file you are looking for is:
http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff

The documentation I successfully followed to build a transparent 
filtering bridge with a 2.4.x kernel is:
http://www.think-future.de/DOCUMENTATION/Ethernet-Bridge-netfilter-HOWTO/

I browsed other documents, and found another well-written one that 
covered the initial steps well, but when I tried to bring the bridge 
interface up using those instructions it failed.  The above link's 
approach worked painlessly, and it took about 25 minutes from download 
to a working filtering bridge, which now sits between an ISP and the 
internet.

j

Re: Bridge with iptables

[pieter claassen]

You can have a look at http://ebtables.sourceforge.net/ for the patches
for the 2.4.x kernels.

Pieter
On Thu, 2003-04-03 at 15:44, hare ram wrote:
> Hi
> 
> iam trying to setup a bridge with iptable
> i have setup the transparent bridge,
> 
> and iam try to mark the http packets for QOS
> iam not able to see the packets
> 
> i was going through the Lartc.org
> some where i read at this stage ( kernel 2.4.18-27 Redhat iam using) bridge
> will not support iptables.
> it will support only on kernel 2.5, is this true
> 
> if false, where can i get the right documentation which help me to setup
> bridge with packet filtering
> 
> thanks in advance for the help
> 
> hare
> 
> 
> 
-- 
-----------------------------
Pieter Claassen
pieter@openauth.co.uk
http://www.openauth.co.uk

OpenAuth
Tel: 01344 390530
DDI: 01344 390630/390631
Fax number: 01344 390700
Mobile:  0776 665 6924

Highview House
Charles Square
Bracknell
Berkshire
RG12 1DF

TERMS AND CONDITIONS
(i)The information contained in this email and attachments is only
intended for the addressed recipient(s) and may not be distributed or
viewed by any other party without the explicit consent of the sender. If
you have received this message by accident, please contact Pieter
Claassen (pieter@openauth.co.uk) and destroy any electronic or physical
copies of the information contained in it, immediately.
(ii)This email is not certified to be virus free and OpenAuth accepts no
liability for losses arising from you receiving this email.
(iii)Any digital signatures (if present) used to authenticate this
email, only serves to allow you to verify the originating email address
of the sender and should not be relied upon to prove identity or base
financial transactions on, unless the Certificate Practice Statement
that the signature references, explicitly states differently.
(iv)This email may be subjected to further terms and conditions as
published on the company website at http://www.openauth.co.uk. If you
need to rely on the information contained in this email in any way, then
you should read those terms and conditions to understand how much you
can trust the information in this email.
(v)OpenAuth retains the copyright on any relevant material that is
included in this email.

Re: Bridge with iptables

[Drew Einhorn]

goto bridge.sourceforge.net and browse around a bit.

While both the bridge code and the iptables code have been
integrated into the 2.4 kernels, you still need some patches
to get them to play with each other.

On Thu, 2003-04-03 at 07:44, hare ram wrote:
> 
> Hi
> 
> iam trying to setup a bridge with iptable
> i have setup the transparent bridge,
> 
> and iam try to mark the http packets for QOS
> iam not able to see the packets
> 
> i was going through the Lartc.org
> some where i read at this stage ( kernel 2.4.18-27 Redhat iam using) bridge
> will not support iptables.
> it will support only on kernel 2.5, is this true
> 
> if false, where can i get the right documentation which help me to setup
> bridge with packet filtering
> 
> thanks in advance for the help
> 
> hare
> 
> 
> 
> 
> 

Re: Bridge with iptables

[hare ram]

Hi Stef and all Gurus of iptables


thanks for the helping me setting up bridge

i have setup the bridge successfully ( transparent ) and assigned some
Public IP to br0 to monitor

In transparent Bridge, i want to divert the traffic port 80 or http traffic
to my squid Server running on port 3129 ( changed from default from 3128 to
3129)

My seltup like this

Public IP LAN x.x.x.1---eth1(Bridge (br0 x.x.x.2)) eth0--- Router (
x.x.x.3)--Internet

Gateway of the public LAN is x.x.x.3

i have done the following config.

/usr/local/sbin/iptables -t nat -A PREROUTING -i eth1 -s 0/0 -p tcp --dport
80 -j REDIRECT --to-port 3129

when i see the squid log iam not able to see anything, in browser i get
error  "The page cannot be displayed"

when i see the iptables out put look like below

[root@bridge root]# iptables -nL -v -t nat
Chain PREROUTING (policy ACCEPT 98 packets, 12602 bytes)
 pkts bytes target     prot opt in     out     source
destination
    6   288 REDIRECT   tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0          tcp dpt:80 redir ports 3129

Chain POSTROUTING (policy ACCEPT 98 packets, 12602 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination


iam able to see some packets are travelling in the same rule,

what could be the wrong, can some one guide me for this problem

thanks in advance

hare