Trying to use the policy drop rule with the bridged firewall, when I removed the first line the transparent proxy works great? It seems a bit strange as from reading several articles on it I thought the following occurs. 1st line - if it doest match it gets dropped on the local filter input. 2nd line - redirects the traffic off the link layer into the network layer ready for line 3. 3rd line - redirects the port 80 to 8080 and then goes to the local process (squid) through the input filter 4th line - input filter accepts the traffic over riding the global reject policy. iptables -P INPUT DROP ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT Any help would be most welcome. Kind Regards William
William Bohannan wrote:> Trying to use the policy drop rule with the bridged firewall, when I > removed the first line the transparent proxy works great? It seems a > bit strange as from reading several articles on it I thought the > following occurs. > 1st line - if it doest match it gets dropped on the local filter input. > 2nd line - redirects the traffic off the link layer into the network > layer ready for line 3. > 3rd line - redirects the port 80 to 8080 and then goes to the local > process (squid) through the input filter > 4th line - input filter accepts the traffic over riding the global > reject policy. > > iptables -P INPUT DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 > --ip-destination-port 80 -j redirect --redirect-target ACCEPT > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1 > --physdev-out eth0 -j ACCEPT > > Any help would be most welcome. > > Kind Regards > William > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >The 4th line should look for packets on dport 8080 instead of 80 -Jasbir
Thanks for the quick response Jasbir. Tried doing as you said with no luck, changed dport to port 8080 on the 4th line (see below). Same as before if you remove line 1 the transparent proxy works. iptables -P INPUT DROP ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT Kind Regards William -----Original Message----- From: Jasbir Khehra [mailto:jasbir.k@gmail.com] Sent: 28 December 2006 18:37 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] filter policy drop and allow transparent proxy William Bohannan wrote:> Trying to use the policy drop rule with the bridged firewall, when I > removed the first line the transparent proxy works great? It seems a > bit strange as from reading several articles on it I thought the > following occurs. > 1st line - if it doest match it gets dropped on the local filterinput.> 2nd line - redirects the traffic off the link layer into the network > layer ready for line 3. > 3rd line - redirects the port 80 to 8080 and then goes to the local > process (squid) through the input filter > 4th line - input filter accepts the traffic over riding the global > reject policy. > > iptables -P INPUT DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 > --ip-destination-port 80 -j redirect --redirect-target ACCEPT > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1 > --physdev-out eth0 -j ACCEPT > > Any help would be most welcome. > > Kind Regards > William > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >The 4th line should look for packets on dport 8080 instead of 80 -Jasbir
William Bohannan wrote:> Thanks for the quick response Jasbir. Tried doing as you said with no > luck, changed dport to port 8080 on the 4th line (see below). Same as > before if you remove line 1 the transparent proxy works. > > > iptables -P INPUT DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 > --ip-destination-port 80 -j redirect --redirect-target ACCEPT > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 > --physdev-out eth0 -j ACCEPT > > Kind Regards > > WilliamNeed to do some debugging. Set default INPUT policy to ACCEPT and add various rules in the INPUT chain (without any target action ) to verify which rules are matching. for example: iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 --physdev-out eth0 iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0 --physdev-out eth1 iptables -A INPUT -p tcp --dport 8080 -i br0 Then check out the output of: iptables -nvL INPUT HTH Jasbir
Did exactly what you said and added the following lines to the code to
make:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
--physdev-out eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0
--physdev-out eth1 -j ACCEPT
Still had no luck. The output you asked for:
server1:~# iptables -nvL INPUT
Chain INPUT (policy DROP 35 packets, 2223 bytes)
pkts bytes target prot opt in out source
destination
2 146 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
255 17920 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth0 multiport ports
81,82,3003
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth1 multiport ports
81,82,3003
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8080 PHYSDEV match --physdev-in eth1
--physdev-out eth0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8080 PHYSDEV match --physdev-in eth0
--physdev-out eth1
Kind Regards
William
-----Original Message-----
From: Jasbir Khehra [mailto:jasbir.k@gmail.com]
Sent: 29 December 2006 08:40
To: lartc@mailman.ds9a.nl
Cc: William Bohannan
Subject: Re: [LARTC] filter policy drop and allow transparent proxy
William Bohannan wrote:> Thanks for the quick response Jasbir. Tried doing as you said with no
> luck, changed dport to port 8080 on the 4th line (see below). Same as
> before if you remove line 1 the transparent proxy works.
>
>
> iptables -P INPUT DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
> --ip-destination-port 80 -j redirect --redirect-target ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
> --physdev-out eth0 -j ACCEPT
>
> Kind Regards
>
> William
Need to do some debugging.
Set default INPUT policy to ACCEPT and add various rules in the INPUT
chain (without any target action ) to verify which rules are matching.
for example:
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
--physdev-out eth0
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0
--physdev-out eth1
iptables -A INPUT -p tcp --dport 8080 -i br0
Then check out the output of:
iptables -nvL INPUT
HTH
Jasbir