Re[2]: [Bridge] [Release] ebtables 2.0.2 + ebtables patch for 2.4.20 + bridge-nf patch for 2.4.20

Thu, 12 Dec 2002 00:05:06 -0800 

Hello Dimitris Zilaskos,
Thursday, December 12, 2002, 2:12:28, you wrote:
I've same patches.

                /(bridge0)\
[mybox]---(dmz1)[mybridge](outside)---[L2 switch]---[proxy]

212.35.160.29 - proxy
212.35.160.186 - my box
[bridge] has dmz1 and outside interfaces enslabed to bridge0

~ # iptables -t nat -A PREROUTING -p tcp -s 212.35.160.186 -d
!212.35.160.0/24 --dport 80 -j DNAT --to-destination  212.35.160.29:3128
~ # iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 22587 packets, 2783K bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   384 DNAT       tcp  --  dmz1   any     212.35.160.186      !212.35.160.0
/24    tcp dpt:http to:212.35.160.29:3128

Here is tcpdump logs from [mybridge]:

~ # tcpdump -i dmz1 host 212.35.160.186
09:26:21.721223 212.35.160.186.1330 > 212.35.160.18.53:  8+[|domain]
09:26:22.451957 212.35.160.18.53 > 212.35.160.186.1330:  8*[|domain]
09:26:22.453634 212.35.160.186.1331 > 216.239.39.101.80: S 919500819:919500819(0
) win 64240 <mss 1460,nop,nop,sackOK> (DF)
09:26:25.628275 212.35.160.186.1331 > 216.239.39.101.80: S 919500819:919500819(0
) win 64240 <mss 1460,nop,nop,sackOK> (DF)

~ # tcpdump -n -i bridge0 host 212.35.160.186
tcpdump: listening on bridge0
09:27:19.467725 212.35.160.186.1333 > 212.35.160.29.3128: S 932587163:932587163(
0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
09:27:22.719368 212.35.160.186.1333 > 212.35.160.29.3128: S 932587163:932587163(
0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

!!! You can see here when iptables DNAT is working.

~ # tcpdump -n -i outside host 212.35.160.186
Nothing :) And this is correct.

You can see when iptables DNAT is working.

DZ> tcpdump on squid box shows no packets arriving .
DZ>   I dont know what I am missing here , but if it works ok for you , and
DZ> since it used to work for me , it must be something silly I cant spot now

If You using on Your box bridge without IP,
how can Your bridge will be known,
where to route DNAT'ed packets (to the proxy)?
Ad minimum - MAC address of the proxy/default_router?

Also do not forget - http and http_proxy requests are bit different ;)
It's depend on our proxy configuration.

-- 
Best regards,
Nick Fedchik FNM3-RIPE  mailto:[EMAIL PROTECTED]
Internet Dept/UkrSat ISP

_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge

Reply via email to