Re: [squid-users] Tproxy4+squid: ebtables wiki

From: Marko Kotar <kotarmarko_at_yahoo.com>
Date: Thu, 29 Oct 2009 07:51:28 -0700 (PDT)

Ok My ebtable rules are(without -i option): ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target ACCEPT ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target ACCEPT This might be the different: Bridge is up and it is having an ip address. Ethernet interfaces are up but not having any ip address asigned. ifconfig eth0 up promisc ... bridge interface is configured with dhclient: dhclient3 br0 This rules are for the routing; ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 And: echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward iptables are: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 squid configuration is default, except acl allow all and port is set to the same address as in iptables, and having TPROXY set. I am using: 2.6.28-16-server x86_64 ubuntu, default or compiled ebtables v2.0.9-1 (June 2009), compiled iptables v1.4.5, Squid Cache: Version 3.1.0.14 configure options: '--enable-linux-netfilter' --with-squid=/home/marko/src/squid-3.1.0.14 --enable-ltdl-convenience configured ony with additional linux-netfilter flag I've used various network configurations: -virtual computer using VmBox with virtual interface in the linux bridge on guest pc. -computer with two interfaces. -double bridged vmbox: two virtual machines: first having 2 virtual interfaces. birdged and having sqiud. second virtual pc being client with one virtual interface. one interface of first was bridged on guest computer to external interface, other two were bridged together. Drop didn't work in any of them, accept was tested only in first. i think thats all the settings i have. --- On Wed, 10/28/09, Dan <dan@jisp.net> wrote: > From: Dan <dan@jisp.net> > Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki > To: "Marko Kotar" <kotarmarko@yahoo.com>, squid-users@squid-cache.org > Date: Wednesday, October 28, 2009, 9:21 PM > Marko Kotar wrote: > > Thanks. > > > > "redirect > > > > The redirect target will change the MAC target address > to that of the bridge device the frame arrived on. This > target can only be used in the BROUTING chain of the broute > table and the PREROUTING chain of the nat table. In the > BROUTING chain, the MAC address of the bridge port is used > as destination address, in the PREROUTING chain, the MAC > address of the bridge is used. > > > > --redirect-target target > > > >     Specifies the standard target. > After doing the MAC redirect, the rule still has to give a > standard target so ebtables knows what to do. The default > target is ACCEPT. Making it CONTINUE could let you use > multiple target extensions on the same frame. Making it DROP > in the BROUTING chain will let the frames be routed. RETURN > is also allowed. Note that using RETURN in a base chain is > not allowed." > > I think: If accept is used it goes in the tproxy > because dst mac is changed to bridge address. (So it goes up > as it would if client had  gateway configured to that > machine?) But is also should drop work? > >    > I decided to test it. I changed my rule to ACCEPT and > traffic passes but not through the proxy.  My > access.log shows no new traffic after changing the > rule.  DROP is what passes the frame off to > iptables.  Could you show all your rules?  If > squid is receiving the traffic the only thing I can think of > is that maybe there is another rule further down the chain > that cause the frame to be routed. > > > I have tryed drop but it didn't work. I didn't get > through any traffic. > > If i didn't use any of ebtable rules it went through. > > But accept works.  --- On Wed, 10/28/09, Dan > <dan@jisp.net> > wrote: > > > >    > >> From: Dan <dan@jisp.net> > >> Subject: Re: [squid-users] Tproxy4+squid: ebtables > wiki > >> To: "Marko Kotar" <kotarmarko@yahoo.com> > >> Cc: squid-users@squid-cache.org > >> Date: Wednesday, October 28, 2009, 1:03 AM > >> Marko Kotar wrote: > >>      > >>> Hi, > >>> You have incorrect commands in squid wiki for > tproxy4 > >>>        > >> ebtables: > >>      > >>> I figure out that it is not "--redirect-target > DROP" > >>>        > >> but it is  "--redirect-target ACCEPT" . > >>      > >>>          > >> With ebtables using broute ACCEPT and DROP have > special > >> meanings.  DROP means route the frame and > ACCEPT means bridge the frame. > >> > >> http://ebtables.sourceforge.net/misc/ebtables-man.html > >> > >>      > >>> There is a "-j REDIRECT" which should be in > lowercase > >>>        > >> letters "-j redirect". > >>      > >>> Thanks for guide. > >>> > >>> Marko > >>> > >>> > >>> > >>>            >       > >> Dan > >> > >> > >>      > > > > > >          > >
Received on Thu Oct 29 2009 - 14:51:36 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 29 2009 - 12:00:04 MDT