Re: [squid-users] Re: Squid + DansGuardian + Bridging

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 25 Sep 2013 18:28:02 +1200

On 25/09/2013 5:37 a.m., psd17j-jacob wrote:
> Hey guys,
>
> Thanks for all the suggestions and feedback. I really appreciate your time.
> I'd like to stick to (attempting) to use DG because I've already come so
> far. It just seems to be this little bridge issue. I followed the link and
> added the following lines:
>
> ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80
> -j redirect --redirect-target DROP
>
> ebtables -t broute -A BROUTING -i eth0 -p ipv6 --ip6-proto tcp --ip6-sport
> 80 -j redirect --redirect-target DROP
>
> ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80
> -j redirect --redirect-target DROP
>
>
> unfortunately that did not help. Do you have any other suggestions as to
> what may help? The current rules are:
>
> ebtables:
>
> :BROUTING ACCEPT
> -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect
> -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 443 -j redirect
Try removing these top ones. They overlap and likey clash with the rest.

> -A BROUTING -p IPv4 -i eth1 --ip-proto tcp --ip-dport 80 -j redirect
> --redirect-target DROP
> -A BROUTING -p IPv6 -i eth0 --ip6-proto tcp --ip6-sport 80 -j redirect
> --redirect-target DROP
> -A BROUTING -p IPv4 -i eth0 --ip-proto tcp --ip-sport 80 -j redirect
> --redirect-target DROP

Double-check those interface names.

> iptables:
>
> :OUTPUT ACCEPT [3:228]
> -A PREROUTING -i br0.9 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A PREROUTING -i br0.9 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080

I think you can drop the interface names here. The routing rules never
get to see any bridged packets, so only the ones which the ebtables
rules DROP will ever get here.
"br0.9" looks like an alias to me, which do not actually exist outside
of ifconfigs display, so removing that will likely produce a rule that
matches the real interface on packets.

> -A PREROUTING -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080
>

Amos
Received on Wed Sep 25 2013 - 06:28:10 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 25 2013 - 12:00:06 MDT