* Re: [LARTC] linux transparent bridge running squid
2006-07-21 18:31 [LARTC] linux transparent bridge running squid William Bohannan
@ 2006-07-21 19:37 ` Andrew Beverley
2006-07-22 16:30 ` Luciano Ruete
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Andrew Beverley @ 2006-07-21 19:37 UTC (permalink / raw)
To: lartc
>
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128
>
This is the same line I use and it works fine. What exactly is the problem? Is it
clients don't use squid, clients can't access the web, or what?
Andy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] linux transparent bridge running squid
2006-07-21 18:31 [LARTC] linux transparent bridge running squid William Bohannan
2006-07-21 19:37 ` Andrew Beverley
@ 2006-07-22 16:30 ` Luciano Ruete
2006-07-22 21:04 ` Radu Oprisan
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Luciano Ruete @ 2006-07-22 16:30 UTC (permalink / raw)
To: lartc
El Friday 21 July 2006 15:31, William Bohannan escribió:
> Hi I have been using Shorewall for a while now and find it very useful and
> easy to configure, I am learning iptables and having trouble getting the
> bridge to successfully work with squid, although I get it working with
> Shorewall straight away? Does anyone know the rules to successfully use
> squid with a transparent bridge?
>
> Internet – router - (bridge eth0 – eth1) – local lan
>
> auto lo
> iface lo inet loopback
>
> auto br0
> iface br0 inet static
> address 192.168.0.253
> netmask 255.255.255.0
> network 192.168.0.0
> broadcast 192.168.0.255
> gateway 192.168.0.254
> pre-up /sbin/ip link set eth0 up
> pre-up /sbin/ip link set eth1 up
> pre-up /usr/sbin/brctl addbr br0
> pre-up /usr/sbin/brctl addif br0 eth0
> pre-up /usr/sbin/brctl addif br0 eth1
>
> iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport
> 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A
> PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 >
> /proc/sys/net/ipv4/ip_forward
you are at Link layer in the bridge, packets dont travel up to Network layer,
so iptables does not even see this packets.
Either you can use ebtables[1] or see 'physdev' in iptables man page.
[1]http://ebtables.sourceforge.net/
--
Luciano
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] linux transparent bridge running squid
2006-07-21 18:31 [LARTC] linux transparent bridge running squid William Bohannan
2006-07-21 19:37 ` Andrew Beverley
2006-07-22 16:30 ` Luciano Ruete
@ 2006-07-22 21:04 ` Radu Oprisan
2006-07-24 19:33 ` [LARTC] linux transparent bridge running squid and dansguardian William Bohannan
2006-07-25 18:09 ` Luciano Ruete
4 siblings, 0 replies; 6+ messages in thread
From: Radu Oprisan @ 2006-07-22 21:04 UTC (permalink / raw)
To: lartc
Luciano Ruete wrote:
> El Friday 21 July 2006 15:31, William Bohannan escribió:
>> Hi I have been using Shorewall for a while now and find it very useful and
>> easy to configure, I am learning iptables and having trouble getting the
>> bridge to successfully work with squid, although I get it working with
>> Shorewall straight away? Does anyone know the rules to successfully use
>> squid with a transparent bridge?
>>
>> Internet – router - (bridge eth0 – eth1) – local lan
>>
>> auto lo
>> iface lo inet loopback
>>
>> auto br0
>> iface br0 inet static
>> address 192.168.0.253
>> netmask 255.255.255.0
>> network 192.168.0.0
>> broadcast 192.168.0.255
>> gateway 192.168.0.254
>> pre-up /sbin/ip link set eth0 up
>> pre-up /sbin/ip link set eth1 up
>> pre-up /usr/sbin/brctl addbr br0
>> pre-up /usr/sbin/brctl addif br0 eth0
>> pre-up /usr/sbin/brctl addif br0 eth1
>>
>> iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport
>> 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A
>> PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 >
>> /proc/sys/net/ipv4/ip_forward
>
> you are at Link layer in the bridge, packets dont travel up to Network layer,
> so iptables does not even see this packets.
> Either you can use ebtables[1] or see 'physdev' in iptables man page.
>
> [1]http://ebtables.sourceforge.net/
Also, i need to point this out, be very careful as not to include the
squid machine in the ebtables redirect, as that could end up in an
endless loop.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [LARTC] linux transparent bridge running squid and dansguardian
2006-07-21 18:31 [LARTC] linux transparent bridge running squid William Bohannan
` (2 preceding siblings ...)
2006-07-22 21:04 ` Radu Oprisan
@ 2006-07-24 19:33 ` William Bohannan
2006-07-25 18:09 ` Luciano Ruete
4 siblings, 0 replies; 6+ messages in thread
From: William Bohannan @ 2006-07-24 19:33 UTC (permalink / raw)
To: lartc
Thanks or the quick reply. Although I have had no success, I have been
trying all day using both physdev and ebtables, neither of which I can get
working :( Please help - below is what I am currently using.
***********************************************************************
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward from the outside to the inside.
#iptables -A FORWARD -i eth0 -o eth0 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# This line tells ebtables to route (accept) the packages // going to port
80, instead of bridging them:
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port
80 -j redirect --redirect-target ACCEPT
# This line tells ebtables to route (accept) the packages // going to port
80, instead of bridging them:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port 8080
# This line is from www.linux.com transparent proxy which allows port 8080
from the local network
#iptables -A INPUT -i eth1 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport
8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -m physdev --physdev-in eth1
--physdev-out eth0 -j ACCEPT
**********************************************************************
Please help - if I use Shorewall it works first go?
Internet - (eth0 - eth1) - local lan
Kind regards
William
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] linux transparent bridge running squid and dansguardian
2006-07-21 18:31 [LARTC] linux transparent bridge running squid William Bohannan
` (3 preceding siblings ...)
2006-07-24 19:33 ` [LARTC] linux transparent bridge running squid and dansguardian William Bohannan
@ 2006-07-25 18:09 ` Luciano Ruete
4 siblings, 0 replies; 6+ messages in thread
From: Luciano Ruete @ 2006-07-25 18:09 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1: Type: text/plain, Size: 584 bytes --]
On Monday 24 July 2006 16:33, William Bohannan wrote:
> Thanks or the quick reply. Although I have had no success, I have been
> trying all day using both physdev and ebtables, neither of which I can get
> working :( Please help - below is what I am currently using.
>
Try this, it is a one-line simple modified version of your first post script. If this proof of concept works, then add all the others iptables rules that you whant.
iptables -F
iptables -t nat -F
iptables -t nat -A PREROUTING -m physdev --physdev-in eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
--
Luciano
[-- Attachment #1.2: Type: text/html, Size: 817 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread