http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html#section6
-- Hans Kokx On Wednesday, December 26, 2012 at 9:19 AM, Robin Wood wrote: > > On Dec 26, 2012 2:11 PM, "Hans Kokx" <[email protected] > (mailto:[email protected])> wrote: > > > > I don't think that's true, Robin. When I worked at Barracuda, I supported > > their web filter. It had a bridged interface, exclusively. It also used > > iptables for all the rules. > If you can suggest a working rule I'll happily be proved wrong. > From reading about ebtables it operates at a lower level so can hit the > bridge. > Robin > > -- > > Hans Kokx > > > > On Wednesday, December 26, 2012 at 4:11 AM, Robin Wood wrote: > >> > >> > >> On Dec 26, 2012 4:41 AM, "Nik" <[email protected] > >> (mailto:[email protected])> wrote: > >> > > >> > You can create bridge interface with "brctl" and manage traffic on it > >> > with iptables... > >> > >> I'm looking for the rule to do what I need, everything else is already in > >> place. > >> > >> As far as I can tell iptables doesn't work on bridges. > >> > >> Robin > >> > >> > 2012/12/24 Robin Wood <[email protected] (mailto:[email protected])>: > >> > > On 24 December 2012 18:09, Robin Wood <[email protected] > >> > > (mailto:[email protected])> wrote: > >> > >> On 23 December 2012 23:50, Robin Wood <[email protected] > >> > >> (mailto:[email protected])> wrote: > >> > >>> Hi > >> > >>> I need an IP tables rule that will catch all traffic going over a > >> > >>> network bridge and send anything destined to port 80 to 8080. As the > >> > >>> proxy that will be listening on port 8080 will modify some traffic to > >> > >>> make it request from the IP of the local machine I'll need the rule > >> > >>> to > >> > >>> ignore requests to port 80 on the IP of the localhost. > >> > >>> > >> > >>> This is what I tried as this works with IP forwarding for things like > >> > >>> ARP spoofing but this doesn't work in this instance, I think because > >> > >>> there is no routing going on, the traffic is just being passed > >> > >>> straight through. > >> > >>> > >> > >>> iptables -t nat -A PREROUTING -p tcp --destination-port 80 ! -d > >> > >>> <local-IP> -j REDIRECT --to-port 8080 > >> > >>> > >> > >>> With this rule in place, if I drop the -d I can get pages being > >> > >>> requested from the web server on the local machine to be bounced > >> > >>> through the proxy. > >> > >>> > >> > >>> How do I do it? > >> > >>> > >> > >>> Got a few good tools going to be based on this if I can get it to > >> > >>> work > >> > >> > >> > >> A few people have suggested things but none have worked so far. To > >> > >> work out which chain will affect things I've just tried the following: > >> > >> > >> > >> iptables -A INPUT -p tcp --dport 80 -j DROP > >> > >> iptables -A OUTPUT -p tcp --dport 80 -j DROP > >> > >> iptables -A FORWARD -p tcp --dport 80 -j DROP > >> > >> > >> > >> Which I think should drop all traffic heading towards port 80 but even > >> > >> with those rules in place I'm still able to surf through the bridge. > >> > >> > >> > >> From a previous project I have a feeling that having iptables affect > >> > >> bridge traffic is hard. If the device was routing traffic then the > >> > >> above rules should work but as it is just bridging then it isn't > >> > >> working. > >> > >> > >> > >> Robin > >> > > > >> > > I've remembered what I should be doing, I need ebtables not iptables. > >> > > > >> > > ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html > >> > > (http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html) > >> > > > >> > > That should get me in the middle. > >> > > > >> > > Robin > >> > > _______________________________________________ > >> > > Pauldotcom mailing list > >> > > [email protected] (mailto:[email protected]) > >> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> > > Main Web Site: http://pauldotcom.com > >> > _______________________________________________ > >> > Pauldotcom mailing list > >> > [email protected] (mailto:[email protected]) > >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> > Main Web Site: http://pauldotcom.com > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] (mailto:[email protected]) > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] (mailto:[email protected]) > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] (mailto:[email protected]) > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
