[Bridge] transparent bridge and proxies

[Bridge] transparent bridge and proxies

[Julian Lyndon-Smith]

I want to be able to install a box that is a transparent bridge, but 
that is also running a transparent proxy, but with a twist ..

i am a newbie in all things linux, so bear with me :)

So far I have managed to install centos 4.3, and following various 
guides on the net, created a bridge between eth1 (connected to lan) and 
eth0 (connected to router). That works great.

I also managed to install squid, get it running transparently and added 
a rule to iptables to make all that work just fine. So now, all my 
clients attached to the lan run through the squid proxy without them 
knowing.

Now, for the twist. For development and testing, I assigned an ip 
address and gateway to the bridge. I need to be able for a "non-it" 
person to install this box without having to set it up at all , so it 
cannot have an ip address assigned, as it *may* be in use somewhere else 
on the lan or router.

So, I changed the ip address to 0.0.0.0. Everything except squid still 
worked. I presume that's because it does not know how to route the data 
to get stuff.

Can I add a rule to iptables or something to say "anything that's come 
from eth1 into the local box, after processing send to eth0" and 
vice-versa ?

Julian.

Re: [Bridge] transparent bridge and proxies

[Marek Kierdelewicz]

> Now, for the twist. For development and testing, I assigned an ip 
> address and gateway to the bridge. I need to be able for a "non-it" 
> person to install this box without having to set it up at all , so it 
> cannot have an ip address assigned, as it *may* be in use somewhere
> else on the lan or router.

One sure and elegant solution is using dhcpcd for bridge adressing.
Unfortunately this requires dhcp server on the net. Dhcp would also
ensure ip clashes avoidance.

Loot at http://www.isc.org/index.pl?/sw/dhcp/.

> So, I changed the ip address to 0.0.0.0. Everything except squid
> still worked. I presume that's because it does not know how to route
> the data to get stuff.

I don't think you could make squid work without IP address assigned.

> Can I add a rule to iptables or something to say "anything that's
> come from eth1 into the local box, after processing send to eth0" and 
> vice-versa ?

Squid needs dns access and needs to know where to direct it's
requests.

regards,
-- 
Marek Kierdelewicz
Kierownik Dzia?u Systemów Sieciowych, KoBa
Manager of Network Systems Department, KoBa
tel. (85) 7406466; fax. (85) 7406467
e-mail: admin@koba.pl

Re: [Bridge] transparent bridge and proxies

[Benny Amorsen]

>>>>> "JL-S" == Julian Lyndon-Smith <asterisk@dotr.com> writes:

JL-S> So, I changed the ip address to 0.0.0.0. Everything except squid
JL-S> still worked. I presume that's because it does not know how to
JL-S> route the data to get stuff.

JL-S> Can I add a rule to iptables or something to say "anything
JL-S> that's come from eth1 into the local box, after processing send
JL-S> to eth0" and vice-versa ?

How about using 127.0.0.1 or something else on the local subnet?
iptables should be able to redirect to that.

I don't know how you'll get traffic from squid out of the box though.
If you know a way to make squid reuse the original clients address in
the outgoing connection, I'm all ears.


/Benny

Re: [Bridge] transparent bridge and proxies

[Etienne Pretorius]

[-- Attachment #1: Type: text/plain, Size: 1566 bytes --]

I am also all ears,

The transparent proxy without an IP address was my first attempt - but 
then I succumbed to the pressures of a due date and just eventually 
assigned an IP address to the bridged interfaces.
I suspect that it will have to be done with ip route 2 package - but 
even the one-way NAT does not make your machine transparent as you need 
to reply to ARP requests to allow the returning packet to find your 
machine/application....

PS, could this list please add a reply-to field to just allow me to 
reply to the list and not to the poster.... (so sorry Benny Amorsen for 
the other email).

Kind Regards
Etienne

Benny Amorsen wrote:
>>>>>> "JL-S" == Julian Lyndon-Smith <asterisk@dotr.com> writes:
>>>>>>             
>
> JL-S> So, I changed the ip address to 0.0.0.0. Everything except squid
> JL-S> still worked. I presume that's because it does not know how to
> JL-S> route the data to get stuff.
>
> JL-S> Can I add a rule to iptables or something to say "anything
> JL-S> that's come from eth1 into the local box, after processing send
> JL-S> to eth0" and vice-versa ?
>
> How about using 127.0.0.1 or something else on the local subnet?
> iptables should be able to redirect to that.
>
> I don't know how you'll get traffic from squid out of the box though.
> If you know a way to make squid reuse the original clients address in
> the outgoing connection, I'm all ears.
>
>
> /Benny
>
>
> _______________________________________________
> Bridge mailing list
> Bridge@lists.osdl.org
> https://lists.osdl.org/mailman/listinfo/bridge
>   

[-- Attachment #2: Type: text/html, Size: 2445 bytes --]

Re: [Bridge] transparent bridge and proxies

[Melissa Meyer]

In the 2.6 kernel, there's an iptables module called physdev to match 
the bridge's physical in and out devices so something like:

iptables -A FORWARD -m physdev -p tcp --dport 25
--physdev-in eth0 -j ACCEPT

to allow smtp traffic through.


Julian Lyndon-Smith wrote:
> I want to be able to install a box that is a transparent bridge, but 
> that is also running a transparent proxy, but with a twist ..
>
> i am a newbie in all things linux, so bear with me :)
>
> So far I have managed to install centos 4.3, and following various 
> guides on the net, created a bridge between eth1 (connected to lan) and 
> eth0 (connected to router). That works great.
>
> I also managed to install squid, get it running transparently and added 
> a rule to iptables to make all that work just fine. So now, all my 
> clients attached to the lan run through the squid proxy without them 
> knowing.
>
> Now, for the twist. For development and testing, I assigned an ip 
> address and gateway to the bridge. I need to be able for a "non-it" 
> person to install this box without having to set it up at all , so it 
> cannot have an ip address assigned, as it *may* be in use somewhere else 
> on the lan or router.
>
> So, I changed the ip address to 0.0.0.0. Everything except squid still 
> worked. I presume that's because it does not know how to route the data 
> to get stuff.
>
> Can I add a rule to iptables or something to say "anything that's come 
> from eth1 into the local box, after processing send to eth0" and 
> vice-versa ?
>
> Julian.
> _______________________________________________
> Bridge mailing list
> Bridge@lists.osdl.org
> https://lists.osdl.org/mailman/listinfo/bridge
>   

Re: [Bridge] transparent bridge and proxies

[Julian Lyndon-Smith]

Thanks Melissa for responding

I was trying to play with physdev.

Ignoring all the inbound stuff, if I was on the console of this machine 
(Mybox)
                     MyBox
                +-----br0----+
                |            |
router<--->eth0+            +eth1<--->Lan

Where br0, eth0 and eth1 had no ip address, and I wanted to "yum update" 
  (which I presume uses port 80) what rules would I need to put in place 
? I was looking for something to do with 127.0.0.1 (the lo interface) 
and eth0.

If I got that to work, the squid proxy should automatically follow, no ?

Julian

Melissa Meyer wrote:
> 
> In the 2.6 kernel, there's an iptables module called physdev to match 
> the bridge's physical in and out devices so something like:
> 
> iptables -A FORWARD -m physdev -p tcp --dport 25
> --physdev-in eth0 -j ACCEPT
> 
> to allow smtp traffic through.
> 
> 
> Julian Lyndon-Smith wrote:
>> I want to be able to install a box that is a transparent bridge, but 
>> that is also running a transparent proxy, but with a twist ..
>>
>> i am a newbie in all things linux, so bear with me :)
>>
>> So far I have managed to install centos 4.3, and following various 
>> guides on the net, created a bridge between eth1 (connected to lan) and 
>> eth0 (connected to router). That works great.
>>
>> I also managed to install squid, get it running transparently and added 
>> a rule to iptables to make all that work just fine. So now, all my 
>> clients attached to the lan run through the squid proxy without them 
>> knowing.
>>
>> Now, for the twist. For development and testing, I assigned an ip 
>> address and gateway to the bridge. I need to be able for a "non-it" 
>> person to install this box without having to set it up at all , so it 
>> cannot have an ip address assigned, as it *may* be in use somewhere else 
>> on the lan or router.
>>
>> So, I changed the ip address to 0.0.0.0. Everything except squid still 
>> worked. I presume that's because it does not know how to route the data 
>> to get stuff.
>>
>> Can I add a rule to iptables or something to say "anything that's come 
>> from eth1 into the local box, after processing send to eth0" and 
>> vice-versa ?
>>
>> Julian.
>> _______________________________________________
>> Bridge mailing list
>> Bridge@lists.osdl.org
>> https://lists.osdl.org/mailman/listinfo/bridge
>>   
> _______________________________________________
> Bridge mailing list
> Bridge@lists.osdl.org
> https://lists.osdl.org/mailman/listinfo/bridge
> 
> 

Re: [Bridge] transparent bridge and proxies

[Melissa Meyer]

In that situation, I put a third nic on the box and gave it a real IP 
address for management purposes (such as running yum).  I'm not exactly 
sure yum updates to the bridge itself will work without an IP adddress.

I think in the proxy situation, you might need to set up a prerouting 
iptables rule that redirects the traffic to the squid port or something 
similar?


Julian Lyndon-Smith wrote:
> Thanks Melissa for responding
>
> I was trying to play with physdev.
>
> Ignoring all the inbound stuff, if I was on the console of this 
> machine (Mybox)
>                     MyBox
>                +-----br0----+
>                |            |
> router<--->eth0+            +eth1<--->Lan
>
> Where br0, eth0 and eth1 had no ip address, and I wanted to "yum 
> update"  (which I presume uses port 80) what rules would I need to put 
> in place ? I was looking for something to do with 127.0.0.1 (the lo 
> interface) and eth0.
>
> If I got that to work, the squid proxy should automatically follow, no ?
>
> Julian
>
> Melissa Meyer wrote:
>>
>> In the 2.6 kernel, there's an iptables module called physdev to match 
>> the bridge's physical in and out devices so something like:
>>
>> iptables -A FORWARD -m physdev -p tcp --dport 25
>> --physdev-in eth0 -j ACCEPT
>>
>> to allow smtp traffic through.
>>
>>
>> Julian Lyndon-Smith wrote:
>>> I want to be able to install a box that is a transparent bridge, but 
>>> that is also running a transparent proxy, but with a twist ..
>>>
>>> i am a newbie in all things linux, so bear with me :)
>>>
>>> So far I have managed to install centos 4.3, and following various 
>>> guides on the net, created a bridge between eth1 (connected to lan) 
>>> and eth0 (connected to router). That works great.
>>>
>>> I also managed to install squid, get it running transparently and 
>>> added a rule to iptables to make all that work just fine. So now, 
>>> all my clients attached to the lan run through the squid proxy 
>>> without them knowing.
>>>
>>> Now, for the twist. For development and testing, I assigned an ip 
>>> address and gateway to the bridge. I need to be able for a "non-it" 
>>> person to install this box without having to set it up at all , so 
>>> it cannot have an ip address assigned, as it *may* be in use 
>>> somewhere else on the lan or router.
>>>
>>> So, I changed the ip address to 0.0.0.0. Everything except squid 
>>> still worked. I presume that's because it does not know how to route 
>>> the data to get stuff.
>>>
>>> Can I add a rule to iptables or something to say "anything that's 
>>> come from eth1 into the local box, after processing send to eth0" 
>>> and vice-versa ?
>>>
>>> Julian.
>>> _______________________________________________
>>> Bridge mailing list
>>> Bridge@lists.osdl.org
>>> https://lists.osdl.org/mailman/listinfo/bridge
>>>   
>> _______________________________________________
>> Bridge mailing list
>> Bridge@lists.osdl.org
>> https://lists.osdl.org/mailman/listinfo/bridge
>>
>>
>

Re: [Bridge] transparent bridge and proxies

[Marek Kierdelewicz]

> Now, for the twist. For development and testing, I assigned an ip 
> address and gateway to the bridge. I need to be able for a "non-it" 
> person to install this box without having to set it up at all , so it 
> cannot have an ip address assigned, as it *may* be in use somewhere
> else on the lan or router.

One sure and elegant solution is using dhcpcd for bridge adressing.
Unfortunately this requires dhcp server on the net. Dhcp would also
ensure ip clashes avoidance.

Loot at http://www.isc.org/index.pl?/sw/dhcp/.

> So, I changed the ip address to 0.0.0.0. Everything except squid
> still worked. I presume that's because it does not know how to route
> the data to get stuff.

I don't think you could make squid work without IP address assigned.

> Can I add a rule to iptables or something to say "anything that's
> come from eth1 into the local box, after processing send to eth0" and 
> vice-versa ?

Squid needs dns access and needs to know where to direct it's
requests.

regards,
-- 
Marek Kierdelewicz
Kierownik Dzia?u Systemów Sieciowych, KoBa
Manager of Network Systems Department, KoBa
tel. (85) 7406466; fax. (85) 7406467
e-mail: admin@koba.pl

Re: [Bridge] transparent bridge and proxies

[Skept]

Julian,

I did not understand what you meant by this paragraph.

"Now, for the twist. For development and testing, I assigned an ip
address and gateway to the bridge. I need to be able for a "non-it"
person to install this box without having to set it up at all , so it
cannot have an ip address assigned, as it *may* be in use somewhere else
on the lan or router."

Did your bridge + transparent proxy work without you adding an ip[\and
route] to the bridge interface? I mean, before the "twist".

Skept