Re: [squid-users] transparent tproxy: routing issue or my own problem ?

From: Henrik Nordstrom <[email protected]>
Date: Mon, 09 Jul 2007 13:18:45 +0200

fre 2007-07-06 klockan 11:07 +0800 skrev Ming-Ching Tiew:

> I think I fixed the issue by changing the ebtables rule to :-
>
> ebtables -t broute -A BROUTING --logical-in br0 -p IPv4 --ip-protocol 6 \
> --ip-destination-port 80 -j redirect --redirect-target DROP

Should be

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
        -i eth0 --ip-source your.lan.network/mask \
        --ip-destination-port 80 -j redirect --redirect-target ACCEPT

with eth0 being the interface connected to your LAN, and
your.lan.network/mask the IP network used on your LAN.

Do NOT redirects networks for which you do not have routing configured,
doing so will not work.

If you are to use TPROXY then I'd recommend using the bridge-netfilter
integration instead of ebtables. This because TPROXY needs to intercept
the return traffic as well, not just lan->internet traffic. It's
possible to add ebtables rules for this by doing rules inverse to the
above.

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
        --ip-destination your.lan.network/mask \
        --ip-source-port 80 -j redirect --redirect-target ACCEPT

Regards
Henrik

Received on Mon Jul 09 2007 - 05:18:51 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:03 MDT