> -----Original Message----- > From: S Mohan [mailto:[EMAIL PROTECTED]] > Sent: Thursday, 23 January 2003 11:28 > To: Lewis Shobbrook > Subject: RE: [Bridge] Re: Bridging Firewall/Proxy (Network > Administrator) > > > I tried using iptables on a bridge. It only worked on the > FORWARD table/chain with INPUT and OUTPUT ignored on the > bridged interfaces. Is this the problem here? Should you > switch the rules to the FORWARD table. > > Mohan
Generally iptables rules only need to be applied through the forward chain on a bridge as all traffic is passing through it. When you have assigned an IP to the bridge and have services running from it then you also need to apply rules to the INPUT and OUTPUT chains. The greatest benefit of having a bridge with services is that you can plug it into any section of the network you wish without needing to alter the subnet structure (eg firewall, mail filter, proxy etc.). Lewis > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Lewis Shobbrook > Sent: Thursday, January 23, 2003 4:31 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: [Bridge] Re: Bridging Firewall/Proxy (Network Administrator) > > > Hi Brett, > > Not sure if you recived a response to this yet. The bridge > mail was delyed over the break for some reason. If you > haven't been able to get it up and running yet, there are a > couple of things that you might want to check. As the reutrn > requests are coming back to the proxy server you'll also need > allow port 80 out for the proxy & access to the input chain > for established connections returning from port 80 & then > from the proxy to the client. You'll also need to be sure > that the proxybox has firewall access to a name server for > resolution and needless to say an IP assigned to the bridge. > iptables -A OUTPUT -o eth1 -p tcp -s bridgeproxyIP --dport 80 > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables > -A INPUT -i eth1 -p tcp -d bridgeproxyIP --sport 80 -m state > --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o > eth0 -p tcp -d xxx.xxx.xxx.xxx/24 -s bridgeproxyIP --sport > 3128 -m state --state ESTABLISHED,RELATED -j ACCEPT > > --- assuming eth1 is your internet interface, eth0 your > internal LAN & xxx.xxx.xxx.xxx/24 is your subnet range with a > 24 bit mask.--- > > That should do the trick... > I think ??? > > Lewis Shobbrook > FastTrack Pty. Ltd. > Phone: +61 3 9866 8700 > Fax: +61 3 9820 0276 > > > Reply-To: "Network Administrator" <[EMAIL PROTECTED]> > > From: "Network Administrator" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Date: Thu, 19 Dec 2002 12:24:15 -0500 > > Organization: WireFire Internet Services > > Subject: [Bridge] Bridging Firewall/Proxy > > > > I couldn't find a clear answer to this one in the list.... > > > > I am attempting to create a transparent squid proxy. I have > > the bridge all setup, iptables works fine. The problem I have > > run into is that when I try to redirect port 80 to port 3128 > > nothing ever comes back to me. > > > > Here is my setup: > > > > eth0--------eth1 ( this is the bridge "br0" ) > > eth2 (public ip address for squid to use) > > > > I am connected to eth0, eth1 & eth2 go to the LAN. > > > > I tried the following iptables rules, which I got from > > "Transparent Proxy with Linux and Squid mini-HOWTO" > > > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j > > REDIRECT --to-port 3128 iptables -A INPUT -i eth0 -p tcp > > --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT > > > > Any Ideas? > > > > Thanks, > > Brett Carroll > > Network Administrator > > WireFire Internet Service > > [EMAIL PROTECTED] > > > _______________________________________________ > Bridge mailing list > [EMAIL PROTECTED] > http://www.math.leidenuniv.nl/mailman/listinfo> /bridge > > _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
