[LARTC] linux transparent bridge running squid

[LARTC] linux transparent bridge running squid

[William Bohannan]

Hi I have been using Shorewall for a while now and find it very useful and easy to configure, I am learning iptables and having trouble getting the bridge to successfully work with squid, although I get it working with Shorewall straight away?  Does anyone know the rules to successfully use squid with a transparent bridge?

Internet – router - (bridge eth0 – eth1) – local lan

auto lo
iface lo inet loopback

auto br0
iface br0 inet static
address 192.168.0.253
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.254
pre-up /sbin/ip link set eth0 up
pre-up /sbin/ip link set eth1 up
pre-up /usr/sbin/brctl addbr br0
pre-up /usr/sbin/brctl addif br0 eth0
pre-up /usr/sbin/brctl addif br0 eth1

iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo 1 > /proc/sys/net/ipv4/ip_forward

with no luck ☹


kind regards
william


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] linux transparent bridge running squid

[Andrew Beverley]

 >
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128
 >

This is the same line I use and it works fine. What exactly is the problem? Is it 
clients don't use squid, clients can't access the web, or what?

Andy

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] linux transparent bridge running squid

[Luciano Ruete]

El Friday 21 July 2006 15:31, William Bohannan escribió:
> Hi I have been using Shorewall for a while now and find it very useful and
> easy to configure, I am learning iptables and having trouble getting the
> bridge to successfully work with squid, although I get it working with
> Shorewall straight away?  Does anyone know the rules to successfully use
> squid with a transparent bridge?
>
> Internet – router - (bridge eth0 – eth1) – local lan
>
> auto lo
> iface lo inet loopback
>
> auto br0
> iface br0 inet static
> address 192.168.0.253
> netmask 255.255.255.0
> network 192.168.0.0
> broadcast 192.168.0.255
> gateway 192.168.0.254
> pre-up /sbin/ip link set eth0 up
> pre-up /sbin/ip link set eth1 up
> pre-up /usr/sbin/brctl addbr br0
> pre-up /usr/sbin/brctl addif br0 eth0
> pre-up /usr/sbin/brctl addif br0 eth1
>
> iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport
> 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A
> PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 >
> /proc/sys/net/ipv4/ip_forward

you are at Link layer in the bridge, packets dont travel up to Network layer, 
so iptables does not even see this packets.
Either you can use ebtables[1] or see 'physdev' in iptables man page.

[1]http://ebtables.sourceforge.net/
-- 
Luciano
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] linux transparent bridge running squid

[Radu Oprisan]

Luciano Ruete wrote:
> El Friday 21 July 2006 15:31, William Bohannan escribió:
>> Hi I have been using Shorewall for a while now and find it very useful and
>> easy to configure, I am learning iptables and having trouble getting the
>> bridge to successfully work with squid, although I get it working with
>> Shorewall straight away?  Does anyone know the rules to successfully use
>> squid with a transparent bridge?
>>
>> Internet – router - (bridge eth0 – eth1) – local lan
>>
>> auto lo
>> iface lo inet loopback
>>
>> auto br0
>> iface br0 inet static
>> address 192.168.0.253
>> netmask 255.255.255.0
>> network 192.168.0.0
>> broadcast 192.168.0.255
>> gateway 192.168.0.254
>> pre-up /sbin/ip link set eth0 up
>> pre-up /sbin/ip link set eth1 up
>> pre-up /usr/sbin/brctl addbr br0
>> pre-up /usr/sbin/brctl addif br0 eth0
>> pre-up /usr/sbin/brctl addif br0 eth1
>>
>> iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport
>> 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A
>> PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 >
>> /proc/sys/net/ipv4/ip_forward
> 
> you are at Link layer in the bridge, packets dont travel up to Network layer, 
> so iptables does not even see this packets.
> Either you can use ebtables[1] or see 'physdev' in iptables man page.
> 
> [1]http://ebtables.sourceforge.net/

Also, i need to point this out, be very careful as not to include the
squid machine in the ebtables redirect, as that could end up in an
endless loop.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] linux transparent bridge running squid and dansguardian

[William Bohannan]

Thanks or the quick reply.  Although I have had no success, I have been
trying all day using both physdev and ebtables, neither of which I can get
working :( Please help - below is what I am currently using.


***********************************************************************
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Don't forward from the outside to the inside.
#iptables -A FORWARD -i eth0 -o eth0 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

# This line tells ebtables to route (accept) the packages // going to port
80, instead of bridging them: 
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port
80 -j redirect --redirect-target ACCEPT 

# This line tells ebtables to route (accept) the packages // going to port
80, instead of bridging them: 
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port 8080

# This line is from www.linux.com transparent proxy which allows port 8080
from the local network
#iptables -A INPUT -i eth1 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport
8080 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -p tcp --dport 80 -m physdev --physdev-in eth1
--physdev-out eth0 -j ACCEPT

**********************************************************************


Please help - if I use Shorewall it works first go?

Internet - (eth0 - eth1) - local lan


Kind regards

William

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] linux transparent bridge running squid and dansguardian

[Luciano Ruete]

[-- Attachment #1.1: Type: text/plain, Size: 584 bytes --]

On Monday 24 July 2006 16:33, William Bohannan wrote:
> Thanks or the quick reply.  Although I have had no success, I have been
> trying all day using both physdev and ebtables, neither of which I can get
> working :( Please help - below is what I am currently using.
>

Try this, it is a one-line simple modified version of your first post script. If this proof of concept works, then add all the others iptables rules that you whant. 

iptables -F
iptables -t nat -F
iptables -t nat -A PREROUTING -m physdev --physdev-in eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

--
Luciano

[-- Attachment #1.2: Type: text/html, Size: 817 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc