Hi Robin,

If you forgive a question from a list newbie, is there a reason you
need to bridge?

Just looking at the tables, it would be counter-intuitive for layer3
names (pre/post routing) to do anything if the network interfaces are
forwarding based on layer2.

Regards,
Chris.



On 14/10/2009, Robin Wood <[email protected]> wrote:
> 2009/10/7 Will Metcalf <[email protected]>:
>> iptables should work fine for this, I'm doing exactly what you are
>> tying to accomplish in multiple places.
>>
>> try these rules... where eth0 should be replaced with the interface
>> that your port 80 traffic comes in on..
>>
>> #redirect web traffic to proxy
>> iptables -t nat -A PREROUTING -m physdev --physdev-in eth0 -p tcp
>> --dport 80 -j REDIRECT --to-port 3128
>>
>> #accept the redirected traffic
>> iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
>> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>> #allow all other traffic to move across the bridge
>>  iptables -A FORWARD -j ACCEPT
>>
>
> I've finally found some time to get back to this. After messing around
> to get physdev working on openwrt I setup rules similar to the above
> but just to test it I went from DROPing the traffic rather than trying
> to redirect. Unfortunately it doesn't work. The rules I have in place
> are
>
> # iptables -L -t nat -v
> Chain PREROUTING (policy ACCEPT 92 packets, 5978 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 DROP       tcp  --  any    any     anywhere
> anywhere            PHYSDEV match --physdev-in br-lan tcp dpt:80
>     0     0 DROP       tcp  --  any    any     anywhere
> anywhere            PHYSDEV match --physdev-in eth0.1 tcp dpt:80
>     0     0 DROP       tcp  --  any    any     anywhere
> anywhere            PHYSDEV match --physdev-in eth0.0 tcp dpt:80
>
> None of them are picking up any web traffic.
>
> I've found if I create this rule then the device itself can't access
> any web traffic but web traffic can still travel over the bridge
>
> # iptables -t nat -A POSTROUTING  -p tcp --dport 80 -j DROP
>
> Doing the same thing on PREROUTING doesn't work
>
> # iptables -t nat -A PREROUTING  -p tcp --dport 80 -j DROP
>
> I'm now going to move over to trying the various techniques suggested
> with ebtables but if you can suggest anything else to try with this
> please let me know.
>
> Robin
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>


-- 
Chris Mewett
[email protected]
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Reply via email to