[LARTC] linux transparent bridge running squid
Radu Oprisan
radu at securesystems.ro
Sat Jul 22 23:04:34 CEST 2006
Luciano Ruete wrote:
> El Friday 21 July 2006 15:31, William Bohannan escribió:
>> Hi I have been using Shorewall for a while now and find it very useful and
>> easy to configure, I am learning iptables and having trouble getting the
>> bridge to successfully work with squid, although I get it working with
>> Shorewall straight away? Does anyone know the rules to successfully use
>> squid with a transparent bridge?
>>
>> Internet – router - (bridge eth0 – eth1) – local lan
>>
>> auto lo
>> iface lo inet loopback
>>
>> auto br0
>> iface br0 inet static
>> address 192.168.0.253
>> netmask 255.255.255.0
>> network 192.168.0.0
>> broadcast 192.168.0.255
>> gateway 192.168.0.254
>> pre-up /sbin/ip link set eth0 up
>> pre-up /sbin/ip link set eth1 up
>> pre-up /usr/sbin/brctl addbr br0
>> pre-up /usr/sbin/brctl addif br0 eth0
>> pre-up /usr/sbin/brctl addif br0 eth1
>>
>> iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport
>> 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A
>> PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 >
>> /proc/sys/net/ipv4/ip_forward
>
> you are at Link layer in the bridge, packets dont travel up to Network layer,
> so iptables does not even see this packets.
> Either you can use ebtables[1] or see 'physdev' in iptables man page.
>
> [1]http://ebtables.sourceforge.net/
Also, i need to point this out, be very careful as not to include the
squid machine in the ebtables redirect, as that could end up in an
endless loop.
More information about the LARTC
mailing list