On Dec 26, 2012 2:22 PM, "Hans Kokx" <[email protected]> wrote: > > http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html#section6
As I said, I think ebtables and not iptables is the way to go. Robin > -- > Hans Kokx > > On Wednesday, December 26, 2012 at 9:19 AM, Robin Wood wrote: >> >> >> On Dec 26, 2012 2:11 PM, "Hans Kokx" <[email protected]> wrote: >> > >> > I don't think that's true, Robin. When I worked at Barracuda, I supported their web filter. It had a bridged interface, exclusively. It also used iptables for all the rules. >> >> If you can suggest a working rule I'll happily be proved wrong. >> >> From reading about ebtables it operates at a lower level so can hit the bridge. >> >> Robin >> >> > -- >> > Hans Kokx >> > >> > On Wednesday, December 26, 2012 at 4:11 AM, Robin Wood wrote: >> >> >> >> >> >> On Dec 26, 2012 4:41 AM, "Nik" <[email protected]> wrote: >> >> > >> >> > You can create bridge interface with "brctl" and manage traffic on it >> >> > with iptables... >> >> >> >> I'm looking for the rule to do what I need, everything else is already in place. >> >> >> >> As far as I can tell iptables doesn't work on bridges. >> >> >> >> Robin >> >> >> >> > 2012/12/24 Robin Wood <[email protected]>: >> >> > > On 24 December 2012 18:09, Robin Wood <[email protected]> wrote: >> >> > >> On 23 December 2012 23:50, Robin Wood <[email protected]> wrote: >> >> > >>> Hi >> >> > >>> I need an IP tables rule that will catch all traffic going over a >> >> > >>> network bridge and send anything destined to port 80 to 8080. As the >> >> > >>> proxy that will be listening on port 8080 will modify some traffic to >> >> > >>> make it request from the IP of the local machine I'll need the rule to >> >> > >>> ignore requests to port 80 on the IP of the localhost. >> >> > >>> >> >> > >>> This is what I tried as this works with IP forwarding for things like >> >> > >>> ARP spoofing but this doesn't work in this instance, I think because >> >> > >>> there is no routing going on, the traffic is just being passed >> >> > >>> straight through. >> >> > >>> >> >> > >>> iptables -t nat -A PREROUTING -p tcp --destination-port 80 ! -d >> >> > >>> <local-IP> -j REDIRECT --to-port 8080 >> >> > >>> >> >> > >>> With this rule in place, if I drop the -d I can get pages being >> >> > >>> requested from the web server on the local machine to be bounced >> >> > >>> through the proxy. >> >> > >>> >> >> > >>> How do I do it? >> >> > >>> >> >> > >>> Got a few good tools going to be based on this if I can get it to work >> >> > >> >> >> > >> A few people have suggested things but none have worked so far. To >> >> > >> work out which chain will affect things I've just tried the following: >> >> > >> >> >> > >> iptables -A INPUT -p tcp --dport 80 -j DROP >> >> > >> iptables -A OUTPUT -p tcp --dport 80 -j DROP >> >> > >> iptables -A FORWARD -p tcp --dport 80 -j DROP >> >> > >> >> >> > >> Which I think should drop all traffic heading towards port 80 but even >> >> > >> with those rules in place I'm still able to surf through the bridge. >> >> > >> >> >> > >> From a previous project I have a feeling that having iptables affect >> >> > >> bridge traffic is hard. If the device was routing traffic then the >> >> > >> above rules should work but as it is just bridging then it isn't >> >> > >> working. >> >> > >> >> >> > >> Robin >> >> > > >> >> > > I've remembered what I should be doing, I need ebtables not iptables. >> >> > > >> >> > > ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html >> >> > > >> >> > > That should get me in the middle. >> >> > > >> >> > > Robin >> >> > > _______________________________________________ >> >> > > Pauldotcom mailing list >> >> > > [email protected] >> >> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> > > Main Web Site: http://pauldotcom.com >> >> > _______________________________________________ >> >> > Pauldotcom mailing list >> >> > [email protected] >> >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> > Main Web Site: http://pauldotcom.com >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
