transparent proxy and iptables failing

transparent proxy and iptables failing

[Robin Wood]

Hi
I'm trying to setup a transparent proxy so I've got a linux device
with two NICs which are bridged using brctl. Traffic flows happily
across the bridge so I know it is working fine.

Now when I try to setup the iptables rules they are being ignored. The
rule I want to use is:

iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j REDIRECT
--to-port 3128

but nothing gets redirected. I've also tried changing 3128 to a port
that is closed to see what would happen, nothing, the packets kept
flowing.

I've also tried clearing the list and then adding

iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DROP

which should kill all web traffic but it doesn't. As a last resort I tried

iptables -t nat -A PREROUTING -i br-lan -p tcp -j DROP

which should kill all TCP traffic but again, nothing.

What am I doing wrong?

Robin

Re: transparent proxy and iptables failing

[Rakotomandimby Mihamina]

10/07/2009 02:44 PM, Robin Wood::
> br-lan
> What am I doing wrong?

IMHO, the "-" in br-lan is wrong.
escape/protect it with "br-lan" or something like that.

-- 
       Architecte Informatique chez Blueline/Gulfsat:
    Administration Systeme, Recherche & Developpement
                                    +261 34 29 155 34

Re: transparent proxy and iptables failing

[Brian Austin - Standard Universal]

you could list your rules to prove that they look ok.

iptables -t nat --list -V



Rakotomandimby Mihamina wrote:
> 10/07/2009 02:44 PM, Robin Wood::
>> br-lan
>> What am I doing wrong?
>
> IMHO, the "-" in br-lan is wrong.
> escape/protect it with "br-lan" or something like that.
>

Re: transparent proxy and iptables failing

[Robin Wood]

2009/10/7 Brian Austin - Standard Universal <brian@standarduniversal.com.au>:
> you could list your rules to prove that they look ok.
>
> iptables -t nat --list -V
>

I've tried changing br-lan to br0 and enclosing it in quotes but neither work.

Here is the output from the above

# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 4 packets, 532 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  br0    any     anywhere
anywhere            tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

And again, testing DROPing instead

# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 4 packets, 532 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  br0    any     anywhere
anywhere            tcp dpt:80

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


With both these rules in place I've ran tcpdump and watched traffic go
over br0 on port 80.

What does the 4 packets and 532 bytes mean? That doesn't seem to be
increasing as I do anything and isn't reset when I do a flush.

Robin

>
>
> Rakotomandimby Mihamina wrote:
>>
>> 10/07/2009 02:44 PM, Robin Wood::
>>>
>>> br-lan
>>> What am I doing wrong?
>>
>> IMHO, the "-" in br-lan is wrong.
>> escape/protect it with "br-lan" or something like that.
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: transparent proxy and iptables failing

[Robin Wood]

2009/10/7 Robin Wood <robin@digininja.org>:
> Hi
> I'm trying to setup a transparent proxy so I've got a linux device
> with two NICs which are bridged using brctl. Traffic flows happily
> across the bridge so I know it is working fine.
>
> Now when I try to setup the iptables rules they are being ignored. The
> rule I want to use is:
>
> iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> but nothing gets redirected. I've also tried changing 3128 to a port
> that is closed to see what would happen, nothing, the packets kept
> flowing.

Various people have suggested using ebtables rather than iptables
because I want to act on traffic over the bridge rather than between
interfaces. If this is correct, how would I rewrite the above rule in
ebtables speak?

Robin