[LARTC] filter policy drop and allow transparent proxy

William Bohannan WBohannan at spidersat.com.gh
Fri Dec 29 14:34:41 CET 2006 

Did exactly what you said and added the following lines to the code to
make:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
--physdev-out eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0
--physdev-out eth1 -j ACCEPT

Still had no luck.  The output you asked for:

server1:~# iptables -nvL INPUT
Chain INPUT (policy DROP 35 packets, 2223 bytes)
 pkts bytes target     prot opt in     out     source
destination
    2   146 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
  255 17920 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           PHYSDEV match --physdev-in eth0 multiport ports
81,82,3003
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           PHYSDEV match --physdev-in eth1 multiport ports
81,82,3003
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:8080 PHYSDEV match --physdev-in eth1
--physdev-out eth0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:8080 PHYSDEV match --physdev-in eth0
--physdev-out eth1

Kind Regards

William


-----Original Message-----
From: Jasbir Khehra [mailto:jasbir.k at gmail.com] 
Sent: 29 December 2006 08:40
To: lartc at mailman.ds9a.nl
Cc: William Bohannan
Subject: Re: [LARTC] filter policy drop and allow transparent proxy

William Bohannan wrote:
> Thanks for the quick response Jasbir.  Tried doing as you said with no
> luck, changed dport to port 8080 on the 4th line (see below).  Same as
> before if you remove line 1 the transparent proxy works.
> 
> 
> iptables -P INPUT DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
> --ip-destination-port 80 -j redirect --redirect-target ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
> --physdev-out eth0 -j ACCEPT
> 
> Kind Regards
> 
> William
Need to do some debugging.
Set default INPUT policy to ACCEPT and add various rules in the INPUT 
chain (without any target action ) to verify which rules are matching.

for example:
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1
  --physdev-out eth0
iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0
  --physdev-out eth1
iptables -A INPUT -p tcp --dport 8080 -i br0
Then check out the output of:
iptables -nvL INPUT
HTH
Jasbir

More information about the LARTC mailing list