Hi Robin, If you forgive a question from a list newbie, is there a reason you need to bridge?
Just looking at the tables, it would be counter-intuitive for layer3 names (pre/post routing) to do anything if the network interfaces are forwarding based on layer2. Regards, Chris. On 14/10/2009, Robin Wood <[email protected]> wrote: > 2009/10/7 Will Metcalf <[email protected]>: >> iptables should work fine for this, I'm doing exactly what you are >> tying to accomplish in multiple places. >> >> try these rules... where eth0 should be replaced with the interface >> that your port 80 traffic comes in on.. >> >> #redirect web traffic to proxy >> iptables -t nat -A PREROUTING -m physdev --physdev-in eth0 -p tcp >> --dport 80 -j REDIRECT --to-port 3128 >> >> #accept the redirected traffic >> iptables -A INPUT -p tcp --dport 3128 -j ACCEPT >> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> >> #allow all other traffic to move across the bridge >> iptables -A FORWARD -j ACCEPT >> > > I've finally found some time to get back to this. After messing around > to get physdev working on openwrt I setup rules similar to the above > but just to test it I went from DROPing the traffic rather than trying > to redirect. Unfortunately it doesn't work. The rules I have in place > are > > # iptables -L -t nat -v > Chain PREROUTING (policy ACCEPT 92 packets, 5978 bytes) > pkts bytes target prot opt in out source > destination > 0 0 DROP tcp -- any any anywhere > anywhere PHYSDEV match --physdev-in br-lan tcp dpt:80 > 0 0 DROP tcp -- any any anywhere > anywhere PHYSDEV match --physdev-in eth0.1 tcp dpt:80 > 0 0 DROP tcp -- any any anywhere > anywhere PHYSDEV match --physdev-in eth0.0 tcp dpt:80 > > None of them are picking up any web traffic. > > I've found if I create this rule then the device itself can't access > any web traffic but web traffic can still travel over the bridge > > # iptables -t nat -A POSTROUTING -p tcp --dport 80 -j DROP > > Doing the same thing on PREROUTING doesn't work > > # iptables -t nat -A PREROUTING -p tcp --dport 80 -j DROP > > I'm now going to move over to trying the various techniques suggested > with ebtables but if you can suggest anything else to try with this > please let me know. > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Chris Mewett [email protected] _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
