RE: [LARTC] filter policy drop and allow transparent proxy

To:	<jasbir.k@gmail.com>, <lartc@mailman.ds9a.nl>
Subject:	RE: [LARTC] filter policy drop and allow transparent proxy
From:	"William Bohannan" <WBohannan@spidersat.com.gh>
Date:	Fri, 29 Dec 2006 22:34:41 +0900
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	lartc-list@securepoint.com
Delivered-to:	lartc@outpost.ds9a.nl
In-reply-to:	<4594D47D.1080709@gmail.com>
List-archive:	<http://mailman.ds9a.nl/pipermail/lartc>
List-help:	<mailto:lartc-request@mailman.ds9a.nl?subject=help>
List-id:	"Mailinglist of the Linux Advanced Routing & Traffic Control project" <lartc.mailman.ds9a.nl>
List-post:	<mailto:lartc@mailman.ds9a.nl>
List-subscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
List-unsubscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
Sender:	lartc-bounces@mailman.ds9a.nl
Thread-index:	AccrJUA7hZBkvjaiRxem7JnQhoYcngAJyB6A
Thread-topic:	[LARTC] filter policy drop and allow transparent proxy

Did exactly what you said and added the following lines to the code to
make:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
--physdev-out eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0
--physdev-out eth1 -j ACCEPT

Still had no luck.  The output you asked for:

server1:~# iptables -nvL INPUT
Chain INPUT (policy DROP 35 packets, 2223 bytes)
 pkts bytes target     prot opt in     out     source
destination
    2   146 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
  255 17920 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           PHYSDEV match --physdev-in eth0 multiport ports
81,82,3003
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           PHYSDEV match --physdev-in eth1 multiport ports
81,82,3003
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:8080 PHYSDEV match --physdev-in eth1
--physdev-out eth0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:8080 PHYSDEV match --physdev-in eth0
--physdev-out eth1

Kind Regards

William


-----Original Message-----
From: Jasbir Khehra [mailto:jasbir.k@gmail.com] 
Sent: 29 December 2006 08:40
To: lartc@mailman.ds9a.nl
Cc: William Bohannan
Subject: Re: [LARTC] filter policy drop and allow transparent proxy

William Bohannan wrote:
> Thanks for the quick response Jasbir.  Tried doing as you said with no
> luck, changed dport to port 8080 on the 4th line (see below).  Same as
> before if you remove line 1 the transparent proxy works.
> 
> 
> iptables -P INPUT DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
> --ip-destination-port 80 -j redirect --redirect-target ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
> --physdev-out eth0 -j ACCEPT
> 
> Kind Regards
> 
> William
Need to do some debugging.
Set default INPUT policy to ACCEPT and add various rules in the INPUT 
chain (without any target action ) to verify which rules are matching.

for example:
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
  --physdev-out eth0
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0
  --physdev-out eth1
iptables -A INPUT -p tcp --dport 8080 -i br0
Then check out the output of:
iptables -nvL INPUT
HTH
Jasbir


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

<Prev in Thread]	Current Thread	[Next in Thread>
[LARTC] filter policy drop and allow transparent proxy, William Bohannan Re: [LARTC] filter policy drop and allow transparent proxy, Jasbir Khehra RE: [LARTC] filter policy drop and allow transparent proxy, William Bohannan Re: [LARTC] filter policy drop and allow transparent proxy, Jasbir Khehra RE: [LARTC] filter policy drop and allow transparent proxy, William Bohannan <=

Previous by Date:	[LARTC] Fwd: How to add a route to a network via 2 gateways., Indunil Jayasooriya
Next by Date:	[LARTC] Trouble selecting network interface by port, Björn Lindström
Previous by Thread:	Re: [LARTC] filter policy drop and allow transparent proxy, Jasbir Khehra
Next by Thread:	[LARTC] Using iptables level7/ipp2p match in a bridge, Ming-Ching Tiew
Indexes:	[Date] [Thread] [Top] [All Lists]