Configuring a Transparent Proxy/Webcache in a Bridge using Squid and ebtables
by Ariel Molina Rueda, in Tutorials - Sat, Jan 1st 2005 00:00 UTC
A proxy/Webcache is a computer which sits between your LAN and your
Internet connection, usually in the gateway. Its job is to capture and
save every Web page that the client machines in your LAN visit, so that
the next time someone requests a page, the proxy/Webcache already has it
and sends it to the client. This saves bandwidth and usually speeds Web
navigation.
Copyright notice: All reader-contributed material on freshmeat.net
is the property and responsibility of its author; for reprint rights, please contact the author
directly.
A bridge works exactly like a two-port switch. It passes everything from
one port to the other, but if we have a Linux box acting like a switch,
we can do wonderful things, because we actually "see" the traffic.
Why would I need a bridge with Squid?
There are some cases in which you do not have access to the gateway, or
your gateway is a piece of dedicated hardware. Furthermore, if a bridge
is used, you do not have to change anything in your network, just plug
in the bridge and start working. If the Linux box acting as a
proxy/Webcache is eaten by a big green monster, you can just reconnect
the cables, and everything goes back to normal until you replace it.
Remember to document where in your network the bridge is. Bridges do
not appear in traceroutes, and that may be a bit confusing and hard to
locate in a big network.
Ok, let's start.
Setting up Squid
First, get squid
running. There is a lot of documentation in the Squid distribution, so I
won't cover basic configuration here. On my Fedora box, I just installed
the rpm, and that was all.
Check that the following lines are present in
/etc/squid/squid.conf:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Also check that your network appears in the ACLs section. For example,
if your network is 192.168.1.0 netmask 255.255.255.0, use:
acl our_networks src 192.168.1.0/24
For testing, you may omit the "acl" line and just comment this:
http_access deny all
and use this instead:
http_access allow all
Be careful if you don't want to allow everyone to use your Webcache. I
recommend using this configuration only for testing.
Start squid. In Fedora, you can use:
bash# service squid start
Other distributions may use:
bash# /etc/init.d/squid start
or you can start it manually. The first time you run it, it will take a few
moments to build its cache files. Be patient.
In Fedora, let's make sure squid starts automatically:
bash# chkconfig squid on
Configuring the bridge
This couldn't be easier:
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 200.1.2.3 netmask 255.255.255.0 up
route add default gw 200.1.2.254 dev br0
Potential Pitfall:
If your PC locks or kernel panics, it's because you have a bad network
adapter card. Most cheap motherboards have a bad integrated NIC. Just
get a better NIC; even an old Realtek should work fine.
In this example, I suppose you are using eth0 and eth1. In the ifconfig
line, I assigned IP address 20.1.2.3 to the bridge so I can access it
remotely. Use an IP address in your network. Don't forget it; you will
need it later.
You may check that the bridge is working by using tcpdump:
bash# tcpdump -n -i eth0
...
(lots of funny stuff)
...
bash# tcpdump -n -i eth1
...
(lots of funny stuff)
...
Plug your machine into the network, and everything should work. Your
Linux box is now a big, expensive two-port switch.
Configuring transparent redirection
We're able to see all the traffic in our network, because we are in the
middle. Now we want to catch Web traffic and redirect it directly into
Squid.
First, let's see if squid is correctly configured.
Go to a PC in your LAN and manually configure a proxy. If you use
Firefox, for example, go to the Edit menu and select Preferences.
Select General and click "Connection Settings", choose "Manual Proxy
Configuration", and enter the IP address of your bridge. The port is
3128, unless you have changed it.
Try surfing the Web. If it works, you have squid running and working as
desired. Now we'll move on to the fun stuff and build a "brouter".
First, install ebtables on the
bridge machine. Then, just run these two commands:
bash# ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
bash# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
-j REDIRECT --to-port 3128
The first command says that packets passing through the bridge going to
port 80 will be redirected to the local machine, instead of being
bridged. The second uses iptables to redirect those packets to local
port 3128, so squid can take care of them.
Check squid's log to see whether you're catching traffic:
bash# tail -f /var/log/squid/access.log
You should see a lot of "[x]__HIT" messages, meaning that
all that content is being caught.
Congratulations, you have a Transparent Proxy/Webcache!
Fine Tuning
You may want to fine-tune squid, adjusting how much memory or disk space
it will use. Just edit /etc/squid/squid.conf.
Remember to create the ACLs (Access Control Lists) for your networks.
You may want to have a script to set up all of this at boot. Use
something like this:
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 200.1.2.3 netmask 255.255.255.0 up
route add default gw 200.1.2.254 dev br0
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
-j REDIRECT --to-port 3128
Save it and put it in
/var/my-start-scripts/bridgeBrouter-up.sh. chmod it to
0755 and put a line in /etc/rc.local as follows:
/var/my-start-scripts/bridgeBrouter-up.sh
Have fun!
Author's bio:
Ariel Molina Rueda is a 22-year-old student
of Mathematics and Physics at the University of Michoacan, Mexico. He
likes Linux, wireless technologies, and Open Source, loves freshmeat and
Karina. In his free time, he is a private consultant for a mid-sized
ISP and other companies in Mexico. His skills include C and PHP coding
and network administration, and he has a Master's degree in the art of
reading Slashdot. He's still looking for a University at which to study
for his Ph.D in Computer Science. He needs to find it soon!
T-Shirts and Fame!
We're eager to find people interested in writing articles on
software-related topics. We're flexible on length, style, and
topic, so long as you know what you're talking about and back up
your opinions with facts. Anyone who writes an article gets a
t-shirt from ThinkGeek
in addition to 15 minutes of fame. If you think you'd like to try
your hand at it, let jeff.covey@freshmeat.net
know what you'd like to write about.
[Comments are disabled]
Comments
[»]
Help Please
by fodde - Oct 11th 2007 00:41:00
Thanks for a great article.
I'm trying to setup squid at my home with 2 lan PC's connecting with DSL
to the i-net.
Questions: Does my squid box need 2 network cards?
Should the setup be like this?
^
|
~~~~~~~~~~~~~~~
~(inet ip) DSL Router ~
~ (10.0.0.2)~
~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~
~(eth0 10.0.0.3)~
~ squid ~
~(eth1 10.0.0.4)~
~~~~~~~~~~~~
|
~~~~~~~~~~
~ eth Switch ~
~ 10.0.0.x ~
~~~~~~~~~~
|
LAN Clients
Thanks
[reply]
[top]
[»]
Re: Help Please
by WhyOldBill - Jan 10th 2008 19:32:41
You need to follow the instructions in the article exactly, if you want to
use the IP addresses you are showing for the DSL modem and the PC... i.e.
your brindge will NOT have ip addresses assigned to either interface.
cheers,
Bill
> Thanks for a great article.
>
> I'm trying to setup squid at my home
> with 2 lan PC's connecting with DSL to
> the i-net.
>
> Questions: Does my squid box need 2
> network cards?
>
> Should the setup be like this?
> ^
> |
> ~~~~~~~~~~~~~~~
> ~(inet ip) DSL Router ~
> ~ (10.0.0.2)~
> ~~~~~~~~~~~~~~~
> |
> ~~~~~~~~~~~~
> ~(eth0 10.0.0.3)~
> ~ squid ~
> ~(eth1 10.0.0.4)~
> ~~~~~~~~~~~~
> |
> ~~~~~~~~~~
> ~ eth Switch
> ~
> ~ 10.0.0.x
> ~
> ~~~~~~~~~~
> |
> LAN Clients
>
> Thanks
[reply]
[top]
[»]
can ping from bridge , hows that ???
by Prakash - Aug 22nd 2007 20:19:53
Bridge shouldn't be able to ping and traceroute.
But mine does. I configured a transparent squid bridge in my FC3 linux
box. And the box is supposed to not able to ping or shouldn't be visible to
others. But i can browse the internet and ping as well. Actually i have
following setup :
Gw <---> linux squid bridge <----> clients
(b/w control)
Before i put the bridge in the middle the bandwidth controlling was great
but after i put the bridge, the
the bw control in not good and all the traffic seems to come from the
bridge as if the nating has been done on the bridge.
Please help whats the problem
[reply]
[top]
[»]
Re: can ping from bridge , hows that ???
by WhyOldBill - Jan 10th 2008 19:28:31
If you have IP Addresses assigned to either (or both) of the eth
interfaces, you will be able to ping from the bridge.
> Bridge shouldn't be able to ping and
> traceroute.
> But mine does. I configured a
> transparent squid bridge in my FC3 linux
> box. And the box is supposed to not able
> to ping or shouldn't be visible to
> others. But i can browse the internet
> and ping as well. Actually i have
> following setup :
>
> Gw <---> linux squid
> bridge <----> clients
> (b/w control)
>
> Before i put the bridge in the middle
> the bandwidth controlling was great but
> after i put the bridge, the
> the bw control in not good and all the
> traffic seems to come from the bridge as
> if the nating has been done on the
> bridge.
> Please help whats the problem
[reply]
[top]
[»]
Squid+Bridge
by freebird - Feb 19th 2007 04:58:07
I have configured a FC3 with squid and iptables pointed to port 3128 as
mentioned above.The problem i am facing is, if i am connect 3-4 PC passing
throughbridge, the squid/Bridge/Iptables works fine.But when i put on the
actual load users are not abling to browse.At the same time if i try
pointing browser to cache (even port 80) it works perfectly.Is this a
probs, Requestgenerating from Public ipeven though hitting cache, but not
getting resolved..All my PC and a different DNS server and every Ip is
Public.
1171888657.435 3 (Public ip) TCP_MISS/503 1484 GET
http://www.yahoomail.com/ - NONE/- text/html
Squid/Iptables both taken from the FC3 itslef(builtin).
Please help me out.
--
Regards
Sankar
[reply]
[top]
[»]
email problem
by Vivek - Dec 12th 2006 03:54:56
Hi Ariel,
Thank you for the guide. I manage a small setup in our building complex in
India. The bandwidth terminates onto a linux box running proprietory
bandwidth accounting package. This is connected to 80 odd houses via
cascaded switches. I specifically want a transparent bridged caching proxy
between the linux box and the internet users - So I connected the
additional network card in the linux box into another box running a bridged
squid proxy (followed the steps you described) on ubuntu 6.06 server; which
in turn is connected to our distribution switch.
Internet<--->linux accounting/NAT<-->bridged
squid<--->switch<---->80 houses
However the users are not able to visit sites like mail.yahoo.com,
mail.google.com, rediffmail.com. etc.
there are no mail blocking rules defined and we do not specifically run
any filtering or firewalling rules. Could this be an issue with the bridge?
Everything works fine as soon as I eliminate the bridge from the network.
All the installation on the bridge is default Ubuntu server with following
additional packages:
squid
ebtables
bridge-utils
squid doesnt have any mail blocking rules. I tried masquerading too on the
bridged linux machine. All sites work fine (including email) but then my
bandwidth accounting goes for a toss.
Thank you once again,
Vivek
[reply]
[top]
[»]
Re: email problem
by stefanbauer - Dec 21st 2006 14:23:15
> However the users are not able to visit
> sites like mail.yahoo.com,
> mail.google.com, rediffmail.com. etc.
>
> there are no mail blocking rules defined
> and we do not specifically run any
> filtering or firewalling rules. Could
> this be an issue with the bridge?
This Sites are running in SSL Mode (Port 443). You need to grab ssl
packets too.
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 443 -j redirect --redirect-target ACCEPT
--
greetings stefan
[reply]
[top]
[»]
howto in germany
by stefanbauer - Oct 3rd 2006 03:46:34
dear users, thank you for collecting your experience about this topic.
from this i have done a german howto which is available here.
http://www.plzk.de/archiv/files/docs/Linux-Bridge-Squid-Dansguardian-clamav-HOWTO-2006.html
--
greetings stefan
[reply]
[top]
[»]
Dansguardian....
by Jeff Goodman - Sep 10th 2006 18:40:53
I have squid running successfully on fc4 in bridge mode with two
interfaces. If i change the iptables statement to port 8080 for
dansguardian instead of 3128 for squid, my client can no longer access the
internet. Is there something else that needs to be done for this to work?
Thanks in advance!
[reply]
[top]
[»]
Still doesn't work?
by adambengur - Jul 26th 2006 02:32:46
To all of you who followed the exact steps without getting it to work -
switch to Debian with kernel 2.6. I had the same problem installing it on
Fedora 4. good luck!
[reply]
[top]
[»]
Having trouble in redirecting port 80 to 3128
by sheesh - Mar 26th 2006 03:28:53
Ariel Molina Rueda
Dear Sir,
I am trying to make a transparent bridge proxy for our ISP. I need to
configure it in bridge mode so that no one can trace it. I am using Fedora
Core 4. My squid.conf is like below-
http_port 3128
visible_hostname Wipll
cache_mem 100 MB # Testing on a simple machine
maximum_object_size 8000 KB
maximum_object_size_in_memory 2000 KB
cache_dir ufs /var/spool/squid 1000 32 256
acl all src 0.0.0.0/0.0.0.0
http_access allow all
cache_access_log /var/log/squid/access.log
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
My bridge mode setting script is like below-
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 202.6.176.55 netmask 255.255.255.224 up
route add default gw 202.6.176.33 dev br0
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
Linux bridge works well. Also the squid is good enough if I put it's
address in client browser. But if I don't client cannot browse. If I remove
the iptables command from the script client pc can browse but not through
transparent proxy rather directly.
I think port redirection is not working properly, whenever I use
iptables to redirect the port 80 it is blocking the port instead of
redirecting it to port 3128.
Dear Sir, please help me finding a solution. We need to save our
bandwidth.
Regards
Sheesh
[reply]
[top]
[»]
Re: Having trouble in redirecting port 80 to 3128
by sheesh - Mar 26th 2006 04:48:17
Dear Sir,
I also have checked my transparent proxy, it works well without bridge
mode.
I need to make it in bridge mode. Please help.
Regards
Sheesh
sheesh@deltasoftbd.com
[reply]
[top]
[»]
Having trouble in redirecting port 80 to 3128
by sheesh - Mar 26th 2006 03:04:01
Ariel Molina Rueda
Dear Sir,
I am trying to make a transparent bridge proxy for our ISP. I need to
configure it in bridge mode so that no one can trace it. My squid.conf is
like below-
http_port 3128
visible_hostname Wipll
cache_mem 100 MB # Testing on a simple machine
maximum_object_size 8000 KB
maximum_object_size_in_memory 2000 KB
cache_dir ufs /var/spool/squid 1000 32 256
acl all src 0.0.0.0/0.0.0.0
http_access allow all
cache_access_log /var/log/squid/access.log
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
My bridge mode setting script is like below-
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 202.6.176.55 netmask 255.255.255.224 up
route add default gw 202.6.176.33 dev br0
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
Linux bridge works well. Also the squid is good enough if I put it's
address in client browser. But if I don't client cannot browse. If I remove
the iptables command from the script client pc can browse but not through
transparent proxy rather directly.
I think port redirection is not working properly, whenever I use iptables
to redirect the port 80 it is blocking the port instead of redirecting it
to port 3128.
Dear Sir, please help me finding a solution. We need to save our
bandwidth.
Regards
Sheesh
[reply]
[top]
[»]
Re: Strange Problem
by madloons - Nov 8th 2005 02:03:11
I remember seeing in the documentation that it will take a while for the
bridge software to memorize the MAC addresses of the NIC's that it can
find. I
believe that this is standard procedure for bridges, and the articles
indicate
that this results in somewhat slowed responses immediately after startup
--
vegunta
[reply]
[top]
[»]
Problem with return packets from proxy
by Andrew Daviel - Mar 13th 2005 11:04:35
We are running a transparent bridge on an RH7.3 machine with Linux 2.4.21
using brctl. It works fine.
I want to add a transparent proxy to block certain browsers from going to
certain sites. It looked like HTTP::Proxy in Perl would work (well, it
does, if I can get it to run transparently, either directly or with
tproxy).
Getting Squid to work transparently seemed a
good first step.
I initially followed the recipe in
http://www.tldp.org/HOWTO/TransparentProxy.html
and then the recipe above.
I tried squid-2.4.STABLE6 from rpm, and also
built squid-2.5.STABLE9 with --enable-linux-netfilter
Squid works OK.
Capturing packets works OK in UDP - I can capture
all traffic to my test port with "nc -u -l -p 9000" on
the bridge. But in TCP the replies get lost.
If Squid is not running, I get "connection refused".
If it's running, the browser (telnet for testing) hangs
and I see a TCP reset on the target host apparently
coming from the client.
Initially I just had
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 9000 \
-j REDIRECT --to-port 3128
but then tried adding
echo 1 > /proc/sys/net/ipv4/ip_forward
ifup eth0 promisc ; ifup eth1 promisc
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 9000 -j redirect --redirect-target ACCEPT
iptables -A INPUT -i br0 -p tcp -d bridge-ip -s 127.0.0.1 \
--dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
none of which made any difference
It seems like I am missing something, but what ?
--
Andrew Daviel
TRIUMF - Canada's National Laboratory for Particle and Nuclear Physics
[reply]
[top]
[»]
Re: Problem with return packets from proxy
by Filipe - Oct 19th 2006 06:23:50
I'm having the same problems that Andrew related. I verified everything and
it's all OK.
The connetions are being redirected to iptables:
5 240 REDIRECT tcp -- br0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 3128
The squid is getting the connections:
1161252534.833 49 192.168.0.222 TCP_DENIED/403 1430 GET
http://freshmeat.net - NONE/- text/html
But the access denied page of squid doesn't returns to the browser. Also,
netstat display data on the send queue of Squid:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 1408 192.168.0.220:3128 192.168.0.222:1087
ESTABLISHED
Note 1408 bytes on the send queue.
Does anybody knows what may be causing this problem?
Thanks
[reply]
[top]
[»]
Dansguardian/Squid/Ebtables
by Mike - Feb 22nd 2005 21:21:01
I currently have a Fedora3 box running the above three products as a
Dansguardian Bridge. Since bridging is part of the 2.6 kernel build, it was
the easiest to include, and I am currently running with all tables open
with:
br0 192.168.250.50/24
eth0 Outer subnetwork
eth1 Inner subnetwork
I then added Squid, and configured it to run as a transparent proxy. The
trick here is that I only want the bridge services to be visible to the
inner subnet, not to everyone. Based on the sparse documentation that I
have been able to find, I assume that I can force Brouting of IPv4 traffic,
and use Iptables to do blocking of requests to upstream nodes. The ultimate
goal is to add Dansguardian, plus a tight set of iptables rules using the
physdev option to create a mostly invisible Bridge Filter that services IP
to the inner subnet without hindering the flow of other protocols. If
anyone has seen ebtables used like this before I could use a link, because
I have found zero articles so far.
Thanks
[reply]
[top]
[»]
Strange Problem
by Justin - Feb 15th 2005 20:32:47
Below are what I am using to setup my bridge. When the server boot's I can
ping/ftp though the router right away. However trying to ping/ssh/etc to
the bridge IP does not work right away. It seems to take a few minutes,
then it starts to work. Any ideas what I might be doing wrong?
e.g. I can ftp to some external server or ping an external server but
can't ping the 192.168.2.16 for a few minutes at least after it comes up.
Very strange. I don't see why I can't ping or ssh to it if the interfaces
are up and working. Thanks,
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 192.168.2.16 netmask 255.255.255.0 up
route add default gw 192.168.2.1 dev br0
ebtables -P FORWARD DROP
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p ARP -j ACCEPT
ebtables -A FORWARD --log-level info --log-ip --log-prefix EBFW
ebtables -P INPUT DROP
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p ARP -j ACCEPT
ebtables -A INPUT --log-level info --log-ip --log-prefix EBFW
ebtables -P OUTPUT DROP
ebtables -A OUTPUT -p IPv4 -j ACCEPT
ebtables -A OUTPUT -p ARP -j ACCEPT
ebtables -A OUTPUT --log-level info --log-ip --log-arp --log-prefix EBFW
-j DROP
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j REDIRECT
--to-port 53
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j REDIRECT
--to-port 53
[reply]
[top]
[»]
Re: Strange Problem
by Mike - Feb 22nd 2005 20:01:57
I remember seeing in the documentation that it will take a while for the
bridge software to memorize the MAC addresses of the NIC's that it can
find. I believe that this is standard procedure for bridges, and the
articles indicate that this results in somewhat slowed responses
immediately after startup.
[reply]
[top]
[»]
Re: Strange Problem
by madloons - May 27th 2005 00:43:38
I remember seeing in the documentation
that it will take a while for the bridge
software to memorize the MAC addresses
of the NIC's that it can find. I believe
that this is standard procedure for
bridges, and the articles indicate that
this results in somewhat slowed
responses immediately after startup
--
vegunta
[reply]
[top]
[»]
To my surprise, even if I removed the ebtables statement, it still works. Care to comment why ?
by cweng - Feb 14th 2005 19:34:05
To my surprise, even if <B>I removed the ebtables statement, it still
works<B>. Care to comment why ?
In other words, the following statment is sufficient!
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
-j REDIRECT --to-port 3128
[reply]
[top]
[»]
Re: To my surprise, even if I removed the ebtables statement, it still works. Care to comment why ?
by Ariel - Mar 4th 2005 07:42:56
> To my surprise, even if <B>I
> removed the ebtables statement, it still
> works<B>. Care to comment why ?
> In other words, the following statment
> is sufficient!
>
> iptables -t nat -A PREROUTING -i br0 -p
> tcp --dport 80 \
> -j REDIRECT --to-port 3128
Take a look at my answer to jeenux
--
.- Ariel Molina Rueda - .
[reply]
[top]
[»]
Re: To my surprise, even if I removed the ebtables statement, it still works. Care to comment why ?
by al9000 - Sep 23rd 2007 14:37:05
To quote the ebtables website:
"ebtables tries to provide the bridge firewalling that iptables
cannot provide, namely the filtering of non-IP traffic."
Apparently the "bridge-nf" code allows iptables to see IP
traffic on the bridge. Since the Internet is, by definition, a
network of IP networks, you probably don't need to bridge
any non-IP packets.
[reply]
[top]
[»]
ebtables
by jeenux - Feb 8th 2005 13:17:23
Hi,
I have a bridge which passes http requests to Squid on the same machine
(like the setup in the doc). But the thing is I don't use ebtables. I only
use iptables and it's working fine except for some cases which, I heard,
were normal problems (like refresh problems with Internet Explorer).
So I was wondering if there was any reason for me to use ebtables and why
does it work without it.
Thanks,
Jeenux
[reply]
[top]
[»]
Re: ebtables
by Ariel - Mar 4th 2005 07:37:21
> Hi,
>
> I have a bridge which passes http
> requests to Squid on the same machine
> (like the setup in the doc). But the
> thing is I don't use ebtables. I only
> use iptables and it's working fine
> except for some cases which, I heard,
> were normal problems (like refresh
> problems with Internet Explorer).
>
> So I was wondering if there was any
> reason for me to use ebtables and why
> does it work without it.
>
> Thanks,
>
> Jeenux
>
By the time i worked on that problem iptables was not able to "see"
packets going thru the bridge. There was even another proyect useful for
bringing packets into iptables: the frame diverter.
Perhaps there was a promise to patch iptables. Maybe iptables is now
capable of doing that without ebtables.
--
The same answer for the post above this.
:-)
--
.- Ariel Molina Rueda - .
[reply]
[top]
[»]
Re: ebtables
by Ariel - Mar 4th 2005 07:45:13
> except for some cases which, I heard,
> were normal problems (like refresh
> problems with Internet Explorer).
There is a workaround for refresh problems in IE. Check your squid.conf
comments and sample settings.
--
.- Ariel Molina Rueda - .
[reply]
[top]
[»]
Can I run services on the bridge?
by wakebdr - Jan 26th 2005 07:32:08
The box I would like to setup as my bridge is currently running services
such as http and ftp that are being served to the internet via port
forwarding on my router. Will this still be possible if the box is setup
to act as a bridge? If it's possible, is it safe?
[reply]
[top]
[»]
Re: Can I run services on the bridge?
by Ariel - Mar 4th 2005 07:59:44
> The box I would like to setup as my
> bridge is currently running services
> such as http and ftp that are being
> served to the internet via port
> forwarding on my router. Will this
> still be possible if the box is setup to
> act as a bridge? If it's possible, is
> it safe?
Yes, it is possible, in fact if you assign an IP to your bridge your
router can see it as a normal computer, so if you open port 81 (and run
apache), you can redirect web requests to it. I suggest to run apache on a
different port that 80 (81 is fine). Because IMHO iptables will redirect it
to squid, and maybe squid will redirect it to your router and your router
redicting to the bridge, and squid redirectig to the router, and... you
will end with a loop. So do not use 80, in fact you dont need it, your
traffic incoming traffic to por 80 (to www.yoursite.com) will be redirected
by the router if you configure it to do so (to port 81).
In the other hand, if it is safe or not is subject to how do you define
safety.
We have a two-NIC machine acting a as bridge, everything it receives on
one nic is "blindly" passed to the other, only web traffic is redirected to
squid, and incoming traffic to port 81 will be served by apache. It is a
fancy configuration but it should work.
The only problem is that squid consumes a lot of memory and hard disk, and
the traffic on the bridge consumes CPU. You only have to worry is you are
running a site with lots of concurrent hits ( you certainly cannot run
www.google.com on top of this :-P )
--
.- Ariel Molina Rueda - .
[reply]
[top]
[»]
Re: Can I run services on the bridge?
by madloons - May 24th 2005 05:31:28
> The box I would like to setup as my
> bridge is currently running services
> such as http and ftp that are being
> served to the internet via port
> forwarding on my router. Will this
> still be possible if the box is setup to
> act as a bridge? If it's possible, is
> it safe?
the tutorial helped me lot thanks madloons
--
vegunta
[reply]
[top]
[»]
can i use cbq with this setting ?
by lussac - Jan 16th 2005 01:34:17
i have topologi network like below :
internet -- gateway -- bridge/squid -- all_cilent
and i will plan in gateway (linux box) setting CBQ for bandwidth limiting
to shape all_client based BW alocation.
but request all_client be handle squid, and i confuse about it. can i
shape BW all_client with CBQ in gateway or in bridge/squid ??
--
For more my detail at http://aconk.lussac.org
[reply]
[top]
[»]
Remote Squid
by Matthias Strack - Jan 2nd 2005 05:48:44
Hi,
is it possible to redirect the Traffic to another Machine in the LAN which
is runnning Squid?
Cause my Box running the Bridge mode isnt very powerfull.
[reply]
[top]
[»]
Re: Remote Squid
by Ariel - Jan 2nd 2005 12:57:43
> Hi,
>
> is it possible to redirect the Traffic
> to another Machine in the LAN which is
> runnning Squid?
> Cause my Box running the Bridge mode
> isnt very powerfull.
Of course, just use iptables rules to redirect traffic to another machine
istead of redirecting them to itself, but you should better use a better
machine.
--
.- Ariel Molina Rueda - .
[reply]
[top]
[»]
Re: Remote Squid
by Matthias Strack - Jan 3rd 2005 15:15:33
> Of course, just use iptables rules to
> redirect traffic to another machine
> istead of redirecting them to itself,
> but you should better use a better
> machine.
This settings work for me (redirecting on my Linksys WRT54G to my Squid
Box)
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --source !
192.168.1.10/255.255.255.255 --dport 80 -j DNAT --to-destination
192.168.1.10:8080
Maybe its dirty...but it works fine :)
[reply]
[top]
[»]
Re: Remote Squid
by quartet - Dec 26th 2006 00:28:42
>
> % Of course, just use iptables rules to
> % redirect traffic to another machine
> % istead of redirecting them to itself,
> % but you should better use a better
> % machine.
>
>
> This settings work for me (redirecting
> on my Linksys WRT54G to my Squid Box)
> ebtables -t broute -A BROUTING -p IPv4
> --ip-protocol 6 --ip-destination-port 80
> -j redirect --redirect-target ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p
> tcp --source !
> 192.168.1.10/255.255.255.255 --dport 80
> -j DNAT --to-destination
> 192.168.1.10:8080
>
> Maybe its dirty...but it works fine :)
>
>
>
What changes have to be done on the Linksys router side for this
configuration to work? Is this some advanced feature on the router, that
allow traffic to bind to squid server?
[reply]
[top]
[»]
Re: Remote Squid
by Matthias Strack - Dec 26th 2006 01:12:53
>
> %
> % % Of course, just use iptables rules
> to
> % % redirect traffic to another machine
> % % istead of redirecting them to
> itself,
> % % but you should better use a better
> % % machine.
> %
> %
> % This settings work for me
> (redirecting
> % on my Linksys WRT54G to my Squid Box)
> % ebtables -t broute -A BROUTING -p
> IPv4
> % --ip-protocol 6 --ip-destination-port
> 80
> % -j redirect --redirect-target ACCEPT
> % iptables -t nat -A PREROUTING -i br0
> -p
> % tcp --source !
> % 192.168.1.10/255.255.255.255 --dport
> 80
> % -j DNAT --to-destination
> % 192.168.1.10:8080
> %
> % Maybe its dirty...but it works fine
> :)
> %
> %
> %
>
>
> What changes have to be done on the
> Linksys router side for this
> configuration to work? Is this some
> advanced feature on the router, that
> allow traffic to bind to squid
> server?
>
Well you have to install an alternativeFirmware like dd-wrt.
Then you have ssh/telnet access to the Router and you can easily change
the Firewall rules.
[reply]
[top]
[»]
bandwidth control
by Rohan Almeida - Jan 2nd 2005 03:49:43
HI,
Can we have bandwidth control working with this
setup too?
using the tc utility.
I think it will work. Just wanna be sure!
Regards,
Rohan
[reply]
[top]
[»]
Re: bandwidth control and more networks
by Ariel - Jan 2nd 2005 12:54:54
> HI,
> Can we have bandwidth control working
> with this
> setup too?
> using the tc utility.
>
> I think it will work. Just wanna be
> sure!
>
> Regards,
> Rohan
>
Yes, it certainly can be done, in fact, i am doing it right now for a
mid-size ISP. Just use tc and shape in the right direction, outbound
traffic (uploads) in the interface pointing to the world and inbound
traffic (downloads) in the one pointing to your LAN. You should use only tc
filters because it is a waste of computer power to bring those packets to
iptables (using ebtables) and then bounce them back using routing, use
tc filter ...... and you and your network will be happy.
You can also add more network adaptors and join them to the bridge to
catch traffic from more networks.
It works like a charm.
BTW: I am also shaping in a linksys Wireless router, i can control
specific wireless clients directly from the router, it is also a wonderful
thing.
--
.- Ariel Molina Rueda - .
[reply]
[top]
[»]
fine tunning for FC
by Tarhon-Onu Victor - Jan 1st 2005 06:50:09
Hi,
Speaking of fine tunning for Fedora Core, you can use:
/etc/sysconfig/network-scripts/ifcfg-br0
having the following content:
DEVICE=br0
ONBOOT=yes
BOOTPROTO=static
IPADDR=200.1.2.3
NETMASK=255.255.255.0
TYPE=Bridge
In order that the configuration to work you have also to modify the
configuration files for eth0 and eth1 (in your case)
/etc/sysconfig/network-scripts/ifcfg-eth[01]
DEVICE=eth0 # or eth1
ONBOOT=yes
BOOTPROTO=static
BRIDGE=br0
/etc/rc.d/init.d/network restart and enjoy. It's better to use the tools
from the linux distro than to placing configuration scripts in
rc.local.
[reply]
[top]
[»]
Re: fine tunning for FC
by dunmi - Jan 28th 2005 02:40:12
> Hi,
> Speaking of fine tunning for Fedora
> Core, you can use:
> /etc/sysconfig/network-scripts/ifcfg-br0
> having the following content:
>
> DEVICE=br0
> ONBOOT=yes
> BOOTPROTO=static
> IPADDR=200.1.2.3
> NETMASK=255.255.255.0
> TYPE=Bridge
>
> In order that the configuration to work
> you have also to modify the
> configuration files for eth0 and eth1
> (in your case)
> /etc/sysconfig/network-scripts/ifcfg-eth[01]
> DEVICE=eth0 # or eth1
> ONBOOT=yes
> BOOTPROTO=static
> BRIDGE=br0
>
> /etc/rc.d/init.d/network restart and
> enjoy. It's better to use the tools from
> the linux distro than to placing
> configuration scripts in rc.local.
>
hi
please i have a problem getting the bridge to start on reboot . i tried
the script but it says brctl command not recognised . at boot time.
[reply]
[top]
[»]
Re: fine tunning for FC
by madloons - May 26th 2005 04:26:36
>
> % Hi,
> % Speaking of fine tunning for Fedora
> % Core, you can use:
> %
> /etc/sysconfig/network-scripts/ifcfg-br0
> % having the following content:
> %
> % DEVICE=br0
> % ONBOOT=yes
> % BOOTPROTO=static
> % IPADDR=200.1.2.3
> % NETMASK=255.255.255.0
> % TYPE=Bridge
> %
> % In order that the configuration to
> work
> % you have also to modify the
> % configuration files for eth0 and eth1
> % (in your case)
> %
> /etc/sysconfig/network-scripts/ifcfg-eth[01]
> % DEVICE=eth0 # or eth1
> % ONBOOT=yes
> % BOOTPROTO=static
> % BRIDGE=br0
> %
> % /etc/rc.d/init.d/network restart and
> % enjoy. It's better to use the tools
> from
> % the linux distro than to placing
> % configuration scripts in rc.local.
> %
>
>
> hi
> please i have a problem getting the
> bridge to start on reboot . i tried the
> script but it says brctl command not
> recognised . at boot time.
I am also facing the problem to start on reboot can any one help me thank
you
--
vegunta
[reply]
[top]
[»]
Re: fine tunning for FC
by shazwaen - Aug 11th 2005 02:20:07
issue this command...
rpm -qa | grep bridge-utils
if nothing come out... seems that you forgot to install the bridge-utils
package. that why the "brctl" command is not found
cheers...
>
> %
> % % Hi,
> % % Speaking of fine tunning for Fedora
> % % Core, you can use:
> % %
> %
> /etc/sysconfig/network-scripts/ifcfg-br0
> % % having the following content:
> % %
> % % DEVICE=br0
> % % ONBOOT=yes
> % % BOOTPROTO=static
> % % IPADDR=200.1.2.3
> % % NETMASK=255.255.255.0
> % % TYPE=Bridge
> % %
> % % In order that the configuration to
> % work
> % % you have also to modify the
> % % configuration files for eth0 and
> eth1
> % % (in your case)
> % %
> %
> /etc/sysconfig/network-scripts/ifcfg-eth[01]
> % % DEVICE=eth0 # or eth1
> % % ONBOOT=yes
> % % BOOTPROTO=static
> % % BRIDGE=br0
> % %
> % % /etc/rc.d/init.d/network restart
> and
> % % enjoy. It's better to use the tools
> % from
> % % the linux distro than to placing
> % % configuration scripts in rc.local.
> % %
> %
> %
> % hi
> % please i have a problem getting the
> % bridge to start on reboot . i tried
> the
> % script but it says brctl command not
> % recognised . at boot time.
>
>
> I am also facing the problem to start on
> reboot can any one help me madloons
> thank you
>
[reply]
[top]
[»]
Re: fine tunning for FC
by Luke - Apr 20th 2006 05:07:17
% DEVICE=br0
> ONBOOT=yes
> BOOTPROTO=static
> IPADDR=200.1.2.3
> NETMASK=255.255.255.0
> TYPE=Bridge
This all works really nicely for static ip addresses but it doesn't work
so well for DHCP. Namely br0 gets initialized before eth0 or eth1 so br0
never gets a DHCP address. I've switched on DHCP persistence, i.e.
DEVICE=br0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Bridge
DELAY=0
STP=off
PERSISTENT_DHCLIENT=yes
I can fiddle with DHCP client settings to get it to aggressively recheck
but its all very flaky. I notice in ifup that with ethernet bonding the
slaved ports get initialized before the master port for DHCP reasons but
for ethernet bridges it doesn't.
I can get around it by hacking scripts together in rc.local but if
anything restarts the network then it all goes horribly wrong and I like
the idea of using the ifcfg scripts
Aside from hacking ifup or /etc/init.d/network, any ideas on how to force
eth0/1 to get initialized before br0? I tried renaming br0 to tr0 on the
assumption that the order was alphabetic but that seemed to make no
difference at all.
Any ideas?
Cheers
Luke
[reply]
[top]
[»]
Re: fine tunning for FC
by Luke - Apr 20th 2006 08:47:09
% This all works really nicely for static
> ip addresses but it doesn't work so well
> for DHCP. Namely br0 gets initialized
> before eth0 or eth1 so br0 never gets a
> DHCP address. I've switched on DHCP
> persistence, i.e.
I knew I'd figure this out as soon as I posted the question!
run "ifconfig eth0 promisc up" and the eth0 and eth1 are already in
promisc mode when the bridge code gets runs and the dhcp client then seems
to work properly. The promisc flag survives a network restart so once up
and running you can't easily break it and the bridge gets a DHCP address
every time!
Cheers,
Luke
[reply]
[top]
[»]
IP 20.1.2.3
by Davide - Jan 1st 2005 05:28:14
Please don't use 20/8 because this isn't a free IP address
(http://ws.arin.net/cgi-bin/whois.pl for further info)
Use 10/8.
[reply]
[top]
[»]
Re: IP 20.1.2.3
by Ariel - Jan 2nd 2005 12:42:36
> Please don't use 20/8 because this isn't
> a free IP address
> (http://ws.arin.net/cgi-bin/whois.pl for
> further info)
>
> Use 10/8.
>
>
You are right, but that was only an example, people should use an IP in
their own network or a private IP.
--
.- Ariel Molina Rueda - .
[reply]
[top]
[»]
Re: IP 20.1.2.3
by massheros - Nov 11th 2005 03:47:53
You are right, but that was only an example, people should use an IP in
their
own network or a private IP
sarvinkakis
--
mass
[reply]
[top]
|
