From: Felipe W Damasio <felipewd@gmail.com>
To: netfilter@vger.kernel.org
Cc: Bruno Gustavo Wallauer <brunogw@gmail.com>
Subject: ebtables broute DROP problem in production environment
Date: Wed, 23 Dec 2009 16:22:50 -0200 [thread overview]
Message-ID: <8a87046f0912231022g438141afpfaa647ac0d01cdda@mail.gmail.com> (raw)
In-Reply-To: <8a87046f0912231019l76e69a9eg52a529023d02237b@mail.gmail.com>
Hi all,
I'm trying to use ebtables/iptables to implement a tproxy-squid on my network.
I have a bridge-setup, with eth0 facing the user and eth1 facing the internet.
Everything works great when I have an user connected with a
cross-over cable on eth0.
But when I plug eth0 on the production environment network (which
uses multiple VLANs, one for the users and another for the internet),
http traffic stop working (ie. doesn't get routed to squid).
We use a Cisco switch 2690 (layer 2).
I'm trying to figure out what's wrong with my setup:
uname -r : 2.6.29.6
ebtables --version : ebtables v2.0.9-1 (June 2009)
iptables --version : iptables v1.4.3.2
Rules applied:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3128
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP
cd /proc/sys/net/bridge/
for i in *
do
echo 0 > $i
done
unset i
brctl stp br0 off
brctl setfd br0 1
brctl sethello br0 1
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
echo 1 > /proc/sys/net/ipv4/tcp_low_latency
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
What am I missing?
FYI, I tried using 2.6.32.2 and didn't work the ebtables even with
cross-over dummy client. Same with 2.6.33-rc1 and -rc1-git3. The
kernel 2.6.29.6 was the only one I tried that worked correctly.
If you need any other info, please let me know.
Thanks in advance!
Felipe Damasio
next parent reply other threads:[~2009-12-23 18:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <8a87046f0912231019l76e69a9eg52a529023d02237b@mail.gmail.com>
2009-12-23 18:22 ` Felipe W Damasio [this message]
2009-12-23 20:48 ` ebtables broute DROP problem in production environment Pascal Hambourg
2009-12-24 13:13 ` Felipe W Damasio
2009-12-29 22:18 ` Felipe W Damasio
2009-12-30 4:08 ` Felipe W Damasio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8a87046f0912231022g438141afpfaa647ac0d01cdda@mail.gmail.com \
--to=felipewd@gmail.com \
--cc=brunogw@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).