johan firdianto wrote:
> Hi Amos,
>
> I already found solution from balabit mailing list,
> here additional step
>
> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80
> -j redirect --redirect-target DROP
> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
> redirect --redirect-target DROP
>
> cd /proc/sys/net/bridge/
> for i in *
> do
> echo 0 > $i
> done
> unset i
>
> And it works.
> I think above step need to added to wiki for bridge case.
> Thanks.
Aha, just found that in my mail archives from a week ago too.
The Balabit message from 'trasor'?
He was seeing noticeable speed issues, how are you finding it?
Amos
>
>
> On Wed, Jul 8, 2009 at 1:07 PM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>> johan firdianto wrote:
>>> You're right Jefrries,
>>>
>>> after compiling connection tracking NAT, it doesn't make sense.
>>> I mean, i can't see my browsing log in access.log
>>> no error in cache.log
>>> counter iptables is incrementing. But I still can browse. When i dump
>>> the packet, no header squid appended at response, so the response
>>> didn't come from squid.
>>> how to check that packet from iptables hits squid ?.
>>> or in bridging environment need different solution ?
>>
>> Looking for an answer for you I found an old tutorial that may still have
>> some relevance. The rest is long and non-relevant so I quote the bridging
>> portion:
>>
>> "Bridge Setup
>>
>> We configure our system as a network bridge, which means that it sits
>> between two physical devices on our network and relays the packets between
>> them. However, there's a twist: we intercept certain packets (those destined
>> for port 80) and shunt them to Squid for processing.
>>
>> You'll need two ethernet cards in your machine to bridge between (one "in"
>> and one "out", as it were). You can use another card for a management IP
>> address, or you can actually assign an address to the bridge itself and
>> reach the machine just as you would a "real" interface.
>>
>> In order to set up the bridge, we need to make a few tweaks to the system.
>> First, we need to install some software that's necessary for setting up a
>> bridge:
>>
>> apt-get install bridge-utils
>>
>> Next, edit /etc/network/interfaces. You should already have a stanza for a
>> statically configured interface (e.g., eth0). Keep the settings for the
>> stanza, but replace the interface name with br0. Also, add the line
>> bridge_ports ethXXX ethYYY to add them to the bridge. For example:
>>
>> auto br0
>> iface br0 inet static
>> bridge_ports eth0 eth1
>> address 192.168.0.100
>> netmask 255.255.255.0
>> gateway 192.168.0.1
>>
>> Additionally, if your setup is like ours you'll need to add some routing to
>> the box so it knows where to send packets. Our Squid box sits just between
>> our firewall/router and LAN. Thus, it needs to be told how to route packets
>> to the LAN and packets to the outside world. We do this by specifying the
>> firewall as the "gateway" in the interfaces file, and adding a static route
>> for our LAN. Thus, you would add the following lines to
>> /etc/network/interfaces in the br0 stanza:
>>
>> up route add -net 192.168.1.0/24 gw 192.168.1.1
>> down route del -net 192.168.1.1/24 gw 192.168.1.1
>>
>> We'll need to tell the kernel that we're going to forward packets, so make
>> sure the following are set in /etc/sysctl.conf:
>>
>> net.ipv4.conf.default.rp_filter=1
>> net.ipv4.conf.default.forwarding=1
>> net.ipv4.conf.all.forwarding=1
>>
>> Once you're all set, the easiest thing to do is reboot for the bridge config
>> to take effect. The other settings should now be working also. cat
>> /proc/sys/net/ipv4/ip_forward to confirm that the machine is in forwarding
>> mode.
>> "
>>
>> iptables appeared to be setup as per normal on top of that.
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
>> Current Beta Squid 3.1.0.9
>>
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.9Received on Wed Jul 08 2009 - 06:28:31 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 08 2009 - 12:00:03 MDT