In the 2.6 kernel, there's an iptables module called physdev to match the bridge's physical in and out devices so something like: iptables -A FORWARD -m physdev -p tcp --dport 25 --physdev-in eth0 -j ACCEPT to allow smtp traffic through. Julian Lyndon-Smith wrote:> I want to be able to install a box that is a transparent bridge, but > that is also running a transparent proxy, but with a twist .. > > i am a newbie in all things linux, so bear with me :) > > So far I have managed to install centos 4.3, and following various > guides on the net, created a bridge between eth1 (connected to lan) and > eth0 (connected to router). That works great. > > I also managed to install squid, get it running transparently and added > a rule to iptables to make all that work just fine. So now, all my > clients attached to the lan run through the squid proxy without them > knowing. > > Now, for the twist. For development and testing, I assigned an ip > address and gateway to the bridge. I need to be able for a "non-it" > person to install this box without having to set it up at all , so it > cannot have an ip address assigned, as it *may* be in use somewhere else > on the lan or router. > > So, I changed the ip address to 0.0.0.0. Everything except squid still > worked. I presume that's because it does not know how to route the data > to get stuff. > > Can I add a rule to iptables or something to say "anything that's come > from eth1 into the local box, after processing send to eth0" and > vice-versa ? > > Julian. > _______________________________________________ > Bridge mailing list > Bridge@lists.osdl.org > https://lists.osdl.org/mailman/listinfo/bridge >
> Now, for the twist. For development and testing, I assigned an ip > address and gateway to the bridge. I need to be able for a "non-it" > person to install this box without having to set it up at all , so it > cannot have an ip address assigned, as it *may* be in use somewhere > else on the lan or router.One sure and elegant solution is using dhcpcd for bridge adressing. Unfortunately this requires dhcp server on the net. Dhcp would also ensure ip clashes avoidance. Loot at http://www.isc.org/index.pl?/sw/dhcp/.> So, I changed the ip address to 0.0.0.0. Everything except squid > still worked. I presume that's because it does not know how to route > the data to get stuff.I don't think you could make squid work without IP address assigned.> Can I add a rule to iptables or something to say "anything that's > come from eth1 into the local box, after processing send to eth0" and > vice-versa ?Squid needs dns access and needs to know where to direct it's requests. regards, -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Manager of Network Systems Department, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl
I want to be able to install a box that is a transparent bridge, but that is also running a transparent proxy, but with a twist .. i am a newbie in all things linux, so bear with me :) So far I have managed to install centos 4.3, and following various guides on the net, created a bridge between eth1 (connected to lan) and eth0 (connected to router). That works great. I also managed to install squid, get it running transparently and added a rule to iptables to make all that work just fine. So now, all my clients attached to the lan run through the squid proxy without them knowing. Now, for the twist. For development and testing, I assigned an ip address and gateway to the bridge. I need to be able for a "non-it" person to install this box without having to set it up at all , so it cannot have an ip address assigned, as it *may* be in use somewhere else on the lan or router. So, I changed the ip address to 0.0.0.0. Everything except squid still worked. I presume that's because it does not know how to route the data to get stuff. Can I add a rule to iptables or something to say "anything that's come from eth1 into the local box, after processing send to eth0" and vice-versa ? Julian.
Julian, I did not understand what you meant by this paragraph. "Now, for the twist. For development and testing, I assigned an ip address and gateway to the bridge. I need to be able for a "non-it" person to install this box without having to set it up at all , so it cannot have an ip address assigned, as it *may* be in use somewhere else on the lan or router." Did your bridge + transparent proxy work without you adding an ip[\and route] to the bridge interface? I mean, before the "twist". Skept
> Now, for the twist. For development and testing, I assigned an ip > address and gateway to the bridge. I need to be able for a "non-it" > person to install this box without having to set it up at all , so it > cannot have an ip address assigned, as it *may* be in use somewhere > else on the lan or router.One sure and elegant solution is using dhcpcd for bridge adressing. Unfortunately this requires dhcp server on the net. Dhcp would also ensure ip clashes avoidance. Loot at http://www.isc.org/index.pl?/sw/dhcp/.> So, I changed the ip address to 0.0.0.0. Everything except squid > still worked. I presume that's because it does not know how to route > the data to get stuff.I don't think you could make squid work without IP address assigned.> Can I add a rule to iptables or something to say "anything that's > come from eth1 into the local box, after processing send to eth0" and > vice-versa ?Squid needs dns access and needs to know where to direct it's requests. regards, -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Manager of Network Systems Department, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl
>>>>> "JL-S" == Julian Lyndon-Smith <asterisk@dotr.com> writes:JL-S> So, I changed the ip address to 0.0.0.0. Everything except squid JL-S> still worked. I presume that's because it does not know how to JL-S> route the data to get stuff. JL-S> Can I add a rule to iptables or something to say "anything JL-S> that's come from eth1 into the local box, after processing send JL-S> to eth0" and vice-versa ? How about using 127.0.0.1 or something else on the local subnet? iptables should be able to redirect to that. I don't know how you'll get traffic from squid out of the box though. If you know a way to make squid reuse the original clients address in the outgoing connection, I'm all ears. /Benny