From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jasbir Khehra <jasbir.k@gmail.com>
Date: Thu, 28 Dec 2006 18:49:22 +0000
Subject: Re: [LARTC] filter policy drop and allow transparent proxy
Message-Id: <45940EE2.1030904@gmail.com>
List-Id: <lartc.vger.kernel.org>
References: <4D411FB02758FE45915E9724339093F61A7135@intranet.scpl.local>
In-Reply-To: <4D411FB02758FE45915E9724339093F61A7135@intranet.scpl.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

William Bohannan wrote:
> Trying to use the policy drop rule with the bridged firewall, when I
> removed the first line the transparent proxy works great?  It seems a
> bit strange as from reading several articles on it I thought the
> following occurs.  
> 1st line - if it doest match it gets dropped on the local filter input.
> 2nd line - redirects the traffic off the link layer into the network
> layer ready for line 3.
> 3rd line - redirects the port 80 to 8080 and then goes to the local
> process (squid) through the input filter
> 4th line - input filter accepts the traffic over riding the global
> reject policy. 
> 
> iptables -P INPUT DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
> --ip-destination-port 80 -j redirect --redirect-target ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1
> --physdev-out eth0 -j ACCEPT
> 
> Any help would be most welcome.
> 
> Kind Regards
> William
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
The 4th line should look for packets on dport 8080 instead of 80
-Jasbir
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc