Hi Amos,
I already found solution from balabit mailing list,
here additional step
ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP
ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
redirect --redirect-target DROP
cd /proc/sys/net/bridge/
for i in *
do
echo 0 > $i
done
unset i
And it works.
I think above step need to added to wiki for bridge case.
Thanks.
On Wed, Jul 8, 2009 at 1:07 PM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
> johan firdianto wrote:
>>
>> You're right Jefrries,
>>
>> after compiling connection tracking NAT, it doesn't make sense.
>> I mean, i can't see my browsing log in access.log
>> no error in cache.log
>> counter iptables is incrementing. But I still can browse. When i dump
>> the packet, no header squid appended at response, so the response
>> didn't come from squid.
>> how to check that packet from iptables hits squid ?.
>> or in bridging environment need different solution ?
>
>
> Looking for an answer for you I found an old tutorial that may still have
> some relevance. The rest is long and non-relevant so I quote the bridging
> portion:
>
> "Bridge Setup
>
> We configure our system as a network bridge, which means that it sits
> between two physical devices on our network and relays the packets between
> them. However, there's a twist: we intercept certain packets (those destined
> for port 80) and shunt them to Squid for processing.
>
> You'll need two ethernet cards in your machine to bridge between (one "in"
> and one "out", as it were). You can use another card for a management IP
> address, or you can actually assign an address to the bridge itself and
> reach the machine just as you would a "real" interface.
>
> In order to set up the bridge, we need to make a few tweaks to the system.
> First, we need to install some software that's necessary for setting up a
> bridge:
>
> apt-get install bridge-utils
>
> Next, edit /etc/network/interfaces. You should already have a stanza for a
> statically configured interface (e.g., eth0). Keep the settings for the
> stanza, but replace the interface name with br0. Also, add the line
> bridge_ports ethXXX ethYYY to add them to the bridge. For example:
>
> auto br0
> iface br0 inet static
> bridge_ports eth0 eth1
> address 192.168.0.100
> netmask 255.255.255.0
> gateway 192.168.0.1
>
> Additionally, if your setup is like ours you'll need to add some routing to
> the box so it knows where to send packets. Our Squid box sits just between
> our firewall/router and LAN. Thus, it needs to be told how to route packets
> to the LAN and packets to the outside world. We do this by specifying the
> firewall as the "gateway" in the interfaces file, and adding a static route
> for our LAN. Thus, you would add the following lines to
> /etc/network/interfaces in the br0 stanza:
>
> up route add -net 192.168.1.0/24 gw 192.168.1.1
> down route del -net 192.168.1.1/24 gw 192.168.1.1
>
> We'll need to tell the kernel that we're going to forward packets, so make
> sure the following are set in /etc/sysctl.conf:
>
> net.ipv4.conf.default.rp_filter=1
> net.ipv4.conf.default.forwarding=1
> net.ipv4.conf.all.forwarding=1
>
> Once you're all set, the easiest thing to do is reboot for the bridge config
> to take effect. The other settings should now be working also. cat
> /proc/sys/net/ipv4/ip_forward to confirm that the machine is in forwarding
> mode.
> "
>
> iptables appeared to be setup as per normal on top of that.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
> Current Beta Squid 3.1.0.9
>
Received on Wed Jul 08 2009 - 06:21:30 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 08 2009 - 12:00:03 MDT