On Wed, Oct 7, 2009 at 3:18 AM, Robin Wood <[email protected]> wrote: > I'm trying to setup a transparent proxy so I've got a linux device > with two NICs which are bridged using brctl. Traffic flows happily > across the bridge so I know it is working fine. > > Now when I try to setup the iptables rules they are being ignored. The > rule I want to use is: > > iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j REDIRECT > --to-port 3128
Hmmm I would suggest you use --physdev-in here instead of -i.... iptables -t nat -A PREROUTING -m physdev --physdev-in eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 > but nothing gets redirected. I've also tried changing 3128 to a port > that is closed to see what would happen, nothing, the packets kept > flowing. Have you allowed this traffic to your local host via input i.e. iptables -A INPUT -m state --state NEW -p tcp --dport 3128 -j ACCEPT This assumes somewhere in your input chain you have something like...... iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > I've also tried clearing the list and then adding > > iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DROP > > which should kill all web traffic but it doesn't. As a last resort I tried > > iptables -t nat -A PREROUTING -i br-lan -p tcp -j DROP > > which should kill all TCP traffic but again, nothing. > > What am I doing wrong? > Traffic moving across the bridge moves across the forward chain, additionally if you want to filter traffic based on a physical interface you have to use physdev so something like... iptables -A FORWARD -p tcp --dport 80 -m physdev --physdev-in eth1 --physdev-out eth0 -j DROP > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
