Hi I have been using Shorewall for a while now and find it very useful and easy to configure, I am learning iptables and having trouble getting the bridge to successfully work with squid, although I get it working with Shorewall straight away? Does anyone know the rules to successfully use squid with a transparent bridge? Internet – router - (bridge eth0 – eth1) – local lan auto lo iface lo inet loopback auto br0 iface br0 inet static address 192.168.0.253 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.254 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 > /proc/sys/net/ipv4/ip_forward with no luck ☹ kind regards william
> > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128> This is the same line I use and it works fine. What exactly is the problem? Is it clients don''t use squid, clients can''t access the web, or what? Andy
El Friday 21 July 2006 15:31, William Bohannan escribió:> Hi I have been using Shorewall for a while now and find it very useful and > easy to configure, I am learning iptables and having trouble getting the > bridge to successfully work with squid, although I get it working with > Shorewall straight away? Does anyone know the rules to successfully use > squid with a transparent bridge? > > Internet – router - (bridge eth0 – eth1) – local lan > > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address 192.168.0.253 > netmask 255.255.255.0 > network 192.168.0.0 > broadcast 192.168.0.255 > gateway 192.168.0.254 > pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1 > > iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport > 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A > PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 > > /proc/sys/net/ipv4/ip_forwardyou are at Link layer in the bridge, packets dont travel up to Network layer, so iptables does not even see this packets. Either you can use ebtables[1] or see ''physdev'' in iptables man page. [1]http://ebtables.sourceforge.net/ -- Luciano
Luciano Ruete wrote:> El Friday 21 July 2006 15:31, William Bohannan escribió: >> Hi I have been using Shorewall for a while now and find it very useful and >> easy to configure, I am learning iptables and having trouble getting the >> bridge to successfully work with squid, although I get it working with >> Shorewall straight away? Does anyone know the rules to successfully use >> squid with a transparent bridge? >> >> Internet – router - (bridge eth0 – eth1) – local lan >> >> auto lo >> iface lo inet loopback >> >> auto br0 >> iface br0 inet static >> address 192.168.0.253 >> netmask 255.255.255.0 >> network 192.168.0.0 >> broadcast 192.168.0.255 >> gateway 192.168.0.254 >> pre-up /sbin/ip link set eth0 up >> pre-up /sbin/ip link set eth1 up >> pre-up /usr/sbin/brctl addbr br0 >> pre-up /usr/sbin/brctl addif br0 eth0 >> pre-up /usr/sbin/brctl addif br0 eth1 >> >> iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport >> 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A >> PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 > >> /proc/sys/net/ipv4/ip_forward > > you are at Link layer in the bridge, packets dont travel up to Network layer, > so iptables does not even see this packets. > Either you can use ebtables[1] or see ''physdev'' in iptables man page. > > [1]http://ebtables.sourceforge.net/Also, i need to point this out, be very careful as not to include the squid machine in the ebtables redirect, as that could end up in an endless loop.
William Bohannan
2006-Jul-24 19:33 UTC
RE: linux transparent bridge running squid and dansguardian
Thanks or the quick reply. Although I have had no success, I have been trying all day using both physdev and ebtables, neither of which I can get working :( Please help - below is what I am currently using. *********************************************************************** #!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin # # delete all existing rules. # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the LAN side. iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Don''t forward from the outside to the inside. #iptables -A FORWARD -i eth0 -o eth0 -j REJECT # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward # This line tells ebtables to route (accept) the packages // going to port 80, instead of bridging them: ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT # This line tells ebtables to route (accept) the packages // going to port 80, instead of bridging them: iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080 # This line is from www.linux.com transparent proxy which allows port 8080 from the local network #iptables -A INPUT -i eth1 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp --dport 80 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT ********************************************************************** Please help - if I use Shorewall it works first go? Internet - (eth0 - eth1) - local lan Kind regards William
Luciano Ruete
2006-Jul-25 18:09 UTC
Re: linux transparent bridge running squid and dansguardian
On Monday 24 July 2006 16:33, William Bohannan wrote:> Thanks or the quick reply. Although I have had no success, I have been > trying all day using both physdev and ebtables, neither of which I can get > working :( Please help - below is what I am currently using. >Try this, it is a one-line simple modified version of your first post script. If this proof of concept works, then add all the others iptables rules that you whant. iptables -F iptables -t nat -F iptables -t nat -A PREROUTING -m physdev --physdev-in eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 -- Luciano _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc