This is long I appreciate you patience.
I am using squid in a Linux box setting up as a bridge, and have
set up ebtables and iptables following the documentation
available on the Net :-
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t tproxy -A PREROUTING -i br0 -p tcp --dport 80 \
-j TPROXY --on-port 80
# this don't seem to have impact by I have put in anyway
for i in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 0 > $i
done
On a brief glance it seems it's working properly but upon detail
investigation,
there are some issues.
This is my observation :-
If I place the Bridge/Squid S in a subnet A before the default internet
gateway D, then all the machines inside the same subnet A can be
serviced by the squid cache engine. Sniffing confirmed that the source
IP has been spoofed by Bridge/Squid S.
However, if there is a subnet B, which is connected to subnet A, via
a router R, then all the machines inside subnet B will have problem
getting the http reply packets but http request packets have no
problem going out.
Note that none-http packets because it has not been redirected by the
ebtable rules, have no problem at all. This shows that the routing
outside of the Bridge/Squid, have all been set up correctly.
Then I added a route inside the Bridge/Squid S for the subnet B via
router R, then the web request/reply problem is solved.
It seems then to me that the http reply ( source port 80 ) has also be
directed ***INTO*** the Bridge/Squid S. Why is that so ? Why didn't the
Bridge/Squid forward the reply packet to the other side of the
interface ?
I am looking for something more transparent. Any insight is much
appreciated.
p/s :-
The logs I capture using tcpdump on the squid machine before and after I
added the route. Network B 10.6.1.0/24, Network A 192.168.128.0/18,
Router R 10.6.1.1<-->192.168.128.50, Squid 192.168.128.20.
Before :-
squid:~> tcpdump -ni br0 host 10.6.1.2 and port 80
tcpdump: WARNING: br0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 68 bytes
09:06:12.974206 IP 10.6.1.2.39895 > 192.168.128.20.80: S
3302818155:3302818155(0) win 5840 <mss 1460,sackOK,timestamp 13603778[|tcp]>
09:06:12.974252 IP 66.249.89.99.80 > 10.6.1.2.39895: S
3648928734:3648928734(0) ack 3302818156 win 5792 <mss 1460,sackOK,timestamp
18102136[|tcp]>
09:06:15.974464 IP 10.6.1.2.39895 > 192.168.128.20.80: S
3302818155:3302818155(0) win 5840 <mss 1460,sackOK,timestamp 13604528[|tcp]>
09:06:15.974492 IP 66.249.89.99.80 > 10.6.1.2.39895: S
3648928734:3648928734(0) ack 3302818156 win 5792 <mss 1460,sackOK,timestamp
18102886[|tcp]>
09:06:16.233344 IP 66.249.89.99.80 > 10.6.1.2.39893: S
3551948981:3551948981(0) ack 3215288824 win 5792 <mss 1460,sackOK,timestamp
18102951[|tcp]>
0
squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
09:03:46.982444 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0) ack 3133545990 win 5792 <mss 1460,sackOK,timestamp
18065645[|tcp]>
09:03:49.982585 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0) ack 3133545990 win 5792 <mss 1460,sackOK,timestamp
18066395[|tcp]>
09:03:50.334072 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0)
squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
09:03:46.982444 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0) ack 3133545990 win 5792 <mss 1460,sackOK,timestamp
18065645[|tcp]>
09:03:49.982585 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0) ack 3133545990 win 5792 <mss 1460,sackOK,timestamp
18066395[|tcp]>
09:03:50.334072 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0)
After I added a route :-
squid:~> ip route add 10.6.1.0/24 via 192.168.128.50
squid:~> tcpdump -ni br0 host 10.6.1.2 and port 80
tcpdump: WARNING: br0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 68 bytes
09:12:55.957274 IP 10.6.1.2.47574 > 192.168.128.20.80: S
3726051898:3726051898(0) win 5840 <mss 1460,sackOK,timestamp 13704510[|tcp]>
09:12:55.957398 IP 66.249.89.147.80 > 10.6.1.2.47574: S
4058179260:4058179260(0) ack 3726051899 win 5792 <mss 1460,sackOK,timestamp
18202862[|tcp]>
09:12:55.957777 IP 10.6.1.2.47574 > 192.168.128.20.80: . ack 4058179261 win
92 <nop,nop,timestamp 13704510 18202862>
squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
09:12:55.962016 IP 10.6.1.2.43328 > 66.249.89.99.80: S
4071804540:4071804540(0) win 5840 <mss 1460,sackOK,timestamp 18202863[|tcp]>
09:12:56.403123 IP 66.249.89.99.80 > 10.6.1.2.43328: S
3907206245:3907206245(0) ack 4071804541 win 8472 <mss
1412,nop,nop,sackOK,nop,wscale 0,nop,nop,[|tcp]>
squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80 tcpdump: WARNING: eth0:
no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
09:12:55.962016 IP 10.6.1.2.43328 > 66.249.89.99.80: S
4071804540:4071804540(0) win 5840 <mss 1460,sackOK,timestamp 18202863[|tcp]>
09:12:56.403123 IP 66.249.89.99.80 > 10.6.1.2.43328: S
3907206245:3907206245(0) ack 4071804541 win 8472 <mss
1412,nop,nop,sackOK,nop,wscale 0,nop,nop,[|tcp]>
09:12:56.403155 IP 10.6.1.2.43328 > 66.249.89.99.80: . ack 1 win 46
<nop,nop,timestamp 18202973 41623216>
09:12:56.403560 IP 10.6.1.2.43328 > 66.249.89.99.80: P 1:1400(1399) ack 1
win 46 <nop,nop,timestamp 18202974 41623216>
0
Received on Thu Jul 05 2007 - 19:35:55 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:03 MDT