* [LARTC] filter policy drop and allow transparent proxy
@ 2006-12-28 18:21 William Bohannan
2006-12-28 18:49 ` Jasbir Khehra
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: William Bohannan @ 2006-12-28 18:21 UTC (permalink / raw)
To: lartc
Trying to use the policy drop rule with the bridged firewall, when I
removed the first line the transparent proxy works great? It seems a
bit strange as from reading several articles on it I thought the
following occurs.
1st line - if it doest match it gets dropped on the local filter input.
2nd line - redirects the traffic off the link layer into the network
layer ready for line 3.
3rd line - redirects the port 80 to 8080 and then goes to the local
process (squid) through the input filter
4th line - input filter accepts the traffic over riding the global
reject policy.
iptables -P INPUT DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1
--physdev-out eth0 -j ACCEPT
Any help would be most welcome.
Kind Regards
William
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [LARTC] filter policy drop and allow transparent proxy
2006-12-28 18:21 [LARTC] filter policy drop and allow transparent proxy William Bohannan
@ 2006-12-28 18:49 ` Jasbir Khehra
2006-12-28 19:24 ` William Bohannan
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Jasbir Khehra @ 2006-12-28 18:49 UTC (permalink / raw)
To: lartc
William Bohannan wrote:
> Trying to use the policy drop rule with the bridged firewall, when I
> removed the first line the transparent proxy works great? It seems a
> bit strange as from reading several articles on it I thought the
> following occurs.
> 1st line - if it doest match it gets dropped on the local filter input.
> 2nd line - redirects the traffic off the link layer into the network
> layer ready for line 3.
> 3rd line - redirects the port 80 to 8080 and then goes to the local
> process (squid) through the input filter
> 4th line - input filter accepts the traffic over riding the global
> reject policy.
>
> iptables -P INPUT DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
> --ip-destination-port 80 -j redirect --redirect-target ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1
> --physdev-out eth0 -j ACCEPT
>
> Any help would be most welcome.
>
> Kind Regards
> William
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
The 4th line should look for packets on dport 8080 instead of 80
-Jasbir
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread* RE: [LARTC] filter policy drop and allow transparent proxy
2006-12-28 18:21 [LARTC] filter policy drop and allow transparent proxy William Bohannan
2006-12-28 18:49 ` Jasbir Khehra
@ 2006-12-28 19:24 ` William Bohannan
2006-12-29 8:52 ` Jasbir Khehra
2006-12-29 13:34 ` William Bohannan
3 siblings, 0 replies; 5+ messages in thread
From: William Bohannan @ 2006-12-28 19:24 UTC (permalink / raw)
To: lartc
Thanks for the quick response Jasbir. Tried doing as you said with no
luck, changed dport to port 8080 on the 4th line (see below). Same as
before if you remove line 1 the transparent proxy works.
iptables -P INPUT DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
--physdev-out eth0 -j ACCEPT
Kind Regards
William
-----Original Message-----
From: Jasbir Khehra [mailto:jasbir.k@gmail.com]
Sent: 28 December 2006 18:37
To: William Bohannan
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] filter policy drop and allow transparent proxy
William Bohannan wrote:
> Trying to use the policy drop rule with the bridged firewall, when I
> removed the first line the transparent proxy works great? It seems a
> bit strange as from reading several articles on it I thought the
> following occurs.
> 1st line - if it doest match it gets dropped on the local filter
input.
> 2nd line - redirects the traffic off the link layer into the network
> layer ready for line 3.
> 3rd line - redirects the port 80 to 8080 and then goes to the local
> process (squid) through the input filter
> 4th line - input filter accepts the traffic over riding the global
> reject policy.
>
> iptables -P INPUT DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
> --ip-destination-port 80 -j redirect --redirect-target ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1
> --physdev-out eth0 -j ACCEPT
>
> Any help would be most welcome.
>
> Kind Regards
> William
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
The 4th line should look for packets on dport 8080 instead of 80
-Jasbir
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] filter policy drop and allow transparent proxy
2006-12-28 18:21 [LARTC] filter policy drop and allow transparent proxy William Bohannan
2006-12-28 18:49 ` Jasbir Khehra
2006-12-28 19:24 ` William Bohannan
@ 2006-12-29 8:52 ` Jasbir Khehra
2006-12-29 13:34 ` William Bohannan
3 siblings, 0 replies; 5+ messages in thread
From: Jasbir Khehra @ 2006-12-29 8:52 UTC (permalink / raw)
To: lartc
William Bohannan wrote:
> Thanks for the quick response Jasbir. Tried doing as you said with no
> luck, changed dport to port 8080 on the 4th line (see below). Same as
> before if you remove line 1 the transparent proxy works.
>
>
> iptables -P INPUT DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
> --ip-destination-port 80 -j redirect --redirect-target ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
> --physdev-out eth0 -j ACCEPT
>
> Kind Regards
>
> William
Need to do some debugging.
Set default INPUT policy to ACCEPT and add various rules in the INPUT
chain (without any target action ) to verify which rules are matching.
for example:
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
--physdev-out eth0
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0
--physdev-out eth1
iptables -A INPUT -p tcp --dport 8080 -i br0
Then check out the output of:
iptables -nvL INPUT
HTH
Jasbir
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [LARTC] filter policy drop and allow transparent proxy
2006-12-28 18:21 [LARTC] filter policy drop and allow transparent proxy William Bohannan
` (2 preceding siblings ...)
2006-12-29 8:52 ` Jasbir Khehra
@ 2006-12-29 13:34 ` William Bohannan
3 siblings, 0 replies; 5+ messages in thread
From: William Bohannan @ 2006-12-29 13:34 UTC (permalink / raw)
To: lartc
Did exactly what you said and added the following lines to the code to
make:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
--physdev-out eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0
--physdev-out eth1 -j ACCEPT
Still had no luck. The output you asked for:
server1:~# iptables -nvL INPUT
Chain INPUT (policy DROP 35 packets, 2223 bytes)
pkts bytes target prot opt in out source
destination
2 146 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
255 17920 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth0 multiport ports
81,82,3003
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth1 multiport ports
81,82,3003
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8080 PHYSDEV match --physdev-in eth1
--physdev-out eth0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8080 PHYSDEV match --physdev-in eth0
--physdev-out eth1
Kind Regards
William
-----Original Message-----
From: Jasbir Khehra [mailto:jasbir.k@gmail.com]
Sent: 29 December 2006 08:40
To: lartc@mailman.ds9a.nl
Cc: William Bohannan
Subject: Re: [LARTC] filter policy drop and allow transparent proxy
William Bohannan wrote:
> Thanks for the quick response Jasbir. Tried doing as you said with no
> luck, changed dport to port 8080 on the 4th line (see below). Same as
> before if you remove line 1 the transparent proxy works.
>
>
> iptables -P INPUT DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
> --ip-destination-port 80 -j redirect --redirect-target ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
> --physdev-out eth0 -j ACCEPT
>
> Kind Regards
>
> William
Need to do some debugging.
Set default INPUT policy to ACCEPT and add various rules in the INPUT
chain (without any target action ) to verify which rules are matching.
for example:
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
--physdev-out eth0
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0
--physdev-out eth1
iptables -A INPUT -p tcp --dport 8080 -i br0
Then check out the output of:
iptables -nvL INPUT
HTH
Jasbir
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-12-29 13:34 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-28 18:21 [LARTC] filter policy drop and allow transparent proxy William Bohannan
2006-12-28 18:49 ` Jasbir Khehra
2006-12-28 19:24 ` William Bohannan
2006-12-29 8:52 ` Jasbir Khehra
2006-12-29 13:34 ` William Bohannan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.