Re: [LARTC] filter policy drop and allow transparent proxy

To:	William Bohannan <WBohannan@spidersat.com.gh>
Subject:	Re: [LARTC] filter policy drop and allow transparent proxy
From:	Jasbir Khehra <jasbir.k@gmail.com>
Date:	Fri, 29 Dec 2006 00:07:22 +0530
Cc:	lartc@mailman.ds9a.nl
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	lartc-list@securepoint.com
Delivered-to:	lartc@outpost.ds9a.nl
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=EHKwJFNn9dCM1vwG9gt0OQeGrD+KijanEMZHmPhuJ2edLNBAUw8DX8a1HzabGZgDG87+t55f7z4iy+z8mHBRB482ehcIonlzqDECfLSJDhZGQAjjDEeGYgZYKC3DNtkSgrSBLSUgNFtmc5L/7KtojtHCojyP8cmFTJumtRWf2Z8=
In-reply-to:	<4D411FB02758FE45915E9724339093F61A7135@intranet.scpl.local>
List-archive:	<http://mailman.ds9a.nl/pipermail/lartc>
List-help:	<mailto:lartc-request@mailman.ds9a.nl?subject=help>
List-id:	"Mailinglist of the Linux Advanced Routing & Traffic Control project" <lartc.mailman.ds9a.nl>
List-post:	<mailto:lartc@mailman.ds9a.nl>
List-subscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
List-unsubscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
References:	<4D411FB02758FE45915E9724339093F61A7135@intranet.scpl.local>
Reply-to:	jasbir.k@gmail.com
Sender:	lartc-bounces@mailman.ds9a.nl
User-agent:	Thunderbird 1.5.0.8 (X11/20061115)

William Bohannan wrote:

Trying to use the policy drop rule with the bridged firewall, when I
removed the first line the transparent proxy works great?  It seems a
bit strange as from reading several articles on it I thought the

following occurs.1st line - if it doest match it gets dropped on the local filter input.

2nd line - redirects the traffic off the link layer into the network
layer ready for line 3.
3rd line - redirects the port 80 to 8080 and then goes to the local
process (squid) through the input filter
4th line - input filter accepts the traffic over riding the global

reject policy.

iptables -P INPUT DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1
--physdev-out eth0 -j ACCEPT

Any help would be most welcome.

Kind Regards
William

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

The 4th line should look for packets on dport 8080 instead of 80
-Jasbir
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

<Prev in Thread]	Current Thread	[Next in Thread>
[LARTC] filter policy drop and allow transparent proxy, William Bohannan Re: [LARTC] filter policy drop and allow transparent proxy, Jasbir Khehra <= RE: [LARTC] filter policy drop and allow transparent proxy, William Bohannan Re: [LARTC] filter policy drop and allow transparent proxy, Jasbir Khehra RE: [LARTC] filter policy drop and allow transparent proxy, William Bohannan

Previous by Date:	[LARTC] filter policy drop and allow transparent proxy, William Bohannan
Next by Date:	RE: [LARTC] filter policy drop and allow transparent proxy, William Bohannan
Previous by Thread:	[LARTC] filter policy drop and allow transparent proxy, William Bohannan
Next by Thread:	RE: [LARTC] filter policy drop and allow transparent proxy, William Bohannan
Indexes:	[Date] [Thread] [Top] [All Lists]