2009/10/7 Will Metcalf <[email protected]>: > On Wed, Oct 7, 2009 at 3:18 AM, Robin Wood <[email protected]> wrote: >> I'm trying to setup a transparent proxy so I've got a linux device >> with two NICs which are bridged using brctl. Traffic flows happily >> across the bridge so I know it is working fine. >> >> Now when I try to setup the iptables rules they are being ignored. The >> rule I want to use is: >> >> iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j REDIRECT >> --to-port 3128 > > Hmmm I would suggest you use --physdev-in here instead of -i.... > iptables -t nat -A PREROUTING -m physdev --physdev-in eth1 -p tcp > --dport 80 -j REDIRECT --to-port 3128
I've tried it without the -i as well if that makes a difference. I'll try with this pyhysdev next time >> but nothing gets redirected. I've also tried changing 3128 to a port >> that is closed to see what would happen, nothing, the packets kept >> flowing. > > Have you allowed this traffic to your local host via input i.e. > > iptables -A INPUT -m state --state NEW -p tcp --dport 3128 -j ACCEPT > > This assumes somewhere in your input chain you have something like...... > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > no, but the if the rule was working the DROP would discard all traffic and it doesn't which implies the theory is wrong >> I've also tried clearing the list and then adding >> >> iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DROP >> >> which should kill all web traffic but it doesn't. As a last resort I tried >> >> iptables -t nat -A PREROUTING -i br-lan -p tcp -j DROP >> >> which should kill all TCP traffic but again, nothing. >> >> What am I doing wrong? >> > > Traffic moving across the bridge moves across the forward chain, > additionally if you want to filter traffic based on a physical > interface you have to use physdev so something like... > > iptables -A FORWARD -p tcp --dport 80 -m physdev --physdev-in eth1 > --physdev-out eth0 -j DROP > What is this doing? It looks like a mix of routing port 80 from eth1 to eth0 but then also dropping the traffic. Robin _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
