* transparent proxy and iptables failing [not found] <7de411230910070245s23552d36v66496187db666440@mail.gmail.com> @ 2009-10-07 11:44 ` Robin Wood 2009-10-07 12:05 ` Rakotomandimby Mihamina 2009-10-07 16:35 ` Robin Wood 0 siblings, 2 replies; 5+ messages in thread From: Robin Wood @ 2009-10-07 11:44 UTC (permalink / raw) To: netfilter Hi I'm trying to setup a transparent proxy so I've got a linux device with two NICs which are bridged using brctl. Traffic flows happily across the bridge so I know it is working fine. Now when I try to setup the iptables rules they are being ignored. The rule I want to use is: iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j REDIRECT --to-port 3128 but nothing gets redirected. I've also tried changing 3128 to a port that is closed to see what would happen, nothing, the packets kept flowing. I've also tried clearing the list and then adding iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DROP which should kill all web traffic but it doesn't. As a last resort I tried iptables -t nat -A PREROUTING -i br-lan -p tcp -j DROP which should kill all TCP traffic but again, nothing. What am I doing wrong? Robin ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: transparent proxy and iptables failing 2009-10-07 11:44 ` transparent proxy and iptables failing Robin Wood @ 2009-10-07 12:05 ` Rakotomandimby Mihamina 2009-10-07 12:31 ` Brian Austin - Standard Universal 2009-10-07 16:35 ` Robin Wood 1 sibling, 1 reply; 5+ messages in thread From: Rakotomandimby Mihamina @ 2009-10-07 12:05 UTC (permalink / raw) To: netfilter 10/07/2009 02:44 PM, Robin Wood:: > br-lan > What am I doing wrong? IMHO, the "-" in br-lan is wrong. escape/protect it with "br-lan" or something like that. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 34 29 155 34 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: transparent proxy and iptables failing 2009-10-07 12:05 ` Rakotomandimby Mihamina @ 2009-10-07 12:31 ` Brian Austin - Standard Universal 2009-10-07 13:12 ` Robin Wood 0 siblings, 1 reply; 5+ messages in thread From: Brian Austin - Standard Universal @ 2009-10-07 12:31 UTC (permalink / raw) Cc: netfilter you could list your rules to prove that they look ok. iptables -t nat --list -V Rakotomandimby Mihamina wrote: > 10/07/2009 02:44 PM, Robin Wood:: >> br-lan >> What am I doing wrong? > > IMHO, the "-" in br-lan is wrong. > escape/protect it with "br-lan" or something like that. > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: transparent proxy and iptables failing 2009-10-07 12:31 ` Brian Austin - Standard Universal @ 2009-10-07 13:12 ` Robin Wood 0 siblings, 0 replies; 5+ messages in thread From: Robin Wood @ 2009-10-07 13:12 UTC (permalink / raw) To: Brian Austin - Standard Universal; +Cc: netfilter 2009/10/7 Brian Austin - Standard Universal <brian@standarduniversal.com.au>: > you could list your rules to prove that they look ok. > > iptables -t nat --list -V > I've tried changing br-lan to br0 and enclosing it in quotes but neither work. Here is the output from the above # iptables -L -v -t nat Chain PREROUTING (policy ACCEPT 4 packets, 532 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- br0 any anywhere anywhere tcp dpt:80 redir ports 3128 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination And again, testing DROPing instead # iptables -L -v -t nat Chain PREROUTING (policy ACCEPT 4 packets, 532 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- br0 any anywhere anywhere tcp dpt:80 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination With both these rules in place I've ran tcpdump and watched traffic go over br0 on port 80. What does the 4 packets and 532 bytes mean? That doesn't seem to be increasing as I do anything and isn't reset when I do a flush. Robin > > > Rakotomandimby Mihamina wrote: >> >> 10/07/2009 02:44 PM, Robin Wood:: >>> >>> br-lan >>> What am I doing wrong? >> >> IMHO, the "-" in br-lan is wrong. >> escape/protect it with "br-lan" or something like that. >> > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: transparent proxy and iptables failing 2009-10-07 11:44 ` transparent proxy and iptables failing Robin Wood 2009-10-07 12:05 ` Rakotomandimby Mihamina @ 2009-10-07 16:35 ` Robin Wood 1 sibling, 0 replies; 5+ messages in thread From: Robin Wood @ 2009-10-07 16:35 UTC (permalink / raw) To: netfilter 2009/10/7 Robin Wood <robin@digininja.org>: > Hi > I'm trying to setup a transparent proxy so I've got a linux device > with two NICs which are bridged using brctl. Traffic flows happily > across the bridge so I know it is working fine. > > Now when I try to setup the iptables rules they are being ignored. The > rule I want to use is: > > iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j REDIRECT > --to-port 3128 > > but nothing gets redirected. I've also tried changing 3128 to a port > that is closed to see what would happen, nothing, the packets kept > flowing. Various people have suggested using ebtables rather than iptables because I want to act on traffic over the bridge rather than between interfaces. If this is correct, how would I rewrite the above rule in ebtables speak? Robin ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-10-07 16:35 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <7de411230910070245s23552d36v66496187db666440@mail.gmail.com>
2009-10-07 11:44 ` transparent proxy and iptables failing Robin Wood
2009-10-07 12:05 ` Rakotomandimby Mihamina
2009-10-07 12:31 ` Brian Austin - Standard Universal
2009-10-07 13:12 ` Robin Wood
2009-10-07 16:35 ` Robin Wood
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.