Have you setup ebtables to drop packet,
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP
second hint,
route all your network/netmask ip address to dev bridge,
example:
ip route add 192.168.100.0/24 dev br0
ip route add 10.0.0.0/8 dev br0
BUT, if you have router again below your bridge, you should define
routing in your bridge.
Because your box actually act as bridge and router. Act as router
because you intercepted trafic to squid. So, when kernel will forward
the traffic to network, they must know which interface to forward.
2010/4/2 Henrik Nordström <henrik_at_henriknordstrom.net>:
> tor 2010-04-01 klockan 13:43 -0700 skrev Kurt Sandstrom:
>> The bridging is working just not redirecting to the squid. I can see
>> the counters increment for port 80 but nothing on the squid side.
>
> TPROXY has some quite peculiar requirements, and the combination with
> bridgeing makes those even more complex. And is why I ask that you first
> verify your TPROXY setup in routing mode before trying the same in
> bridge mode. It's simply about isolating why things do not work for you
> instead of trying to guess if it's the bridge-iptables integration,
> ebtables, iptables TPROXY rules, routing, or whatever..
>
> Regards
> Henrik
>
>
Received on Fri Apr 02 2010 - 11:03:27 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 02 2010 - 12:00:04 MDT