[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: transparent proxy and iptables (and ebtables) failing
From:       Robin Wood <robin () digininja ! org>
Date:       2009-10-18 22:03:04
Message-ID: 7de411230910181503s3be59470sd2a3cddfc54d327 () mail ! gmail ! com
[Download RAW message or body]

2009/10/13 Robin Wood <robin@digininja.org>:
> 2009/10/7 Robin Wood <robin@digininja.org>:
>> 2009/10/7 Robin Wood <robin@digininja.org>:
>>> Hi
>>> I'm trying to setup a transparent proxy so I've got a linux device
>>> with two NICs which are bridged using brctl. Traffic flows happily
>>> across the bridge so I know it is working fine.
>>>
>>> Now when I try to setup the iptables rules they are being ignored. The
>>> rule I want to use is:
>>>
>>> iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j REDIRECT
>>> --to-port 3128
>>>
>>> but nothing gets redirected. I've also tried changing 3128 to a port
>>> that is closed to see what would happen, nothing, the packets kept
>>> flowing.
>>
>> Various people have suggested using ebtables rather than iptables
>> because I want to act on traffic over the bridge rather than between
>> interfaces. If this is correct, how would I rewrite the above rule in
>> ebtables speak?
>
> I'm back to playing with this and I've now tried ebtables (which I
> hope is covered by this list) and I'm still not managing to trap
> traffic. The bridge is as follows
>
> # brctl show
> bridge name     bridge id               STP enabled     interfaces
> br-lan          8000.001884d0a060       no              eth0.0
>                                                        eth0.1
>
> And the two rules I've tried are
>
> # ebtables -L
> Bridge table: filter
>
> Bridge chain: INPUT, entries: 1, policy: ACCEPT
> -p IPv4 --ip-dst 192.168.0.8 -j DROP
>
> Bridge chain: FORWARD, entries: 1, policy: ACCEPT
> -p IPv4 --ip-proto tcp --ip-dport 80 -j DROP
>
> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
>
> The first I think should intercept all ipv4 traffic going to
> 192.168.0.8 and drop it, it doesn't.
>
> The second should drop all ipv4 tcp traffic on port 80. Again, this
> doesn't work.
>
> Any suggestions as to what could be happening?
>
> Robin
>

I've done some more investigating on this and moved a little further
forward. I wondered if it were the device I'm using as even though it
has two NICs they don't seem to be two distinct devices as the come up
as eth0.0 and eth0.1 with an eth0 which sees traffic on both
interfaces.

So, I added a USB NIC to give me a completely separate interface and
tried again but with the standard transparent bridge iptables line
nothing happened. So I started playing with the ebtables commands and
found a way to intercept traffic. If I run

ebtables -t broute -A BROUTING  -j DROP

All traffic on the bridge is dropped. However, when I put in the IPv4 protocol,

ebtables -t broute -A BROUTING -p IPv4  -j DROP

the traffic can flow again. I tried adding IPv6 as well, just in case
but that didn't do anything. I also tried capturing some traffic with
tcpdump and checking that it shows normal traffic when sniffing either
the bridge or individual interfaces. There doesn't seem to be any
unusual encapsulation going on.

Can anyone suggest any other debug/testing I can do?

Robin
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]