* [Bridge] transparent bridge and proxies
@ 2006-08-24 17:31 Julian Lyndon-Smith
2006-08-24 18:20 ` Marek Kierdelewicz
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Julian Lyndon-Smith @ 2006-08-24 17:31 UTC (permalink / raw)
To: bridge
I want to be able to install a box that is a transparent bridge, but
that is also running a transparent proxy, but with a twist ..
i am a newbie in all things linux, so bear with me :)
So far I have managed to install centos 4.3, and following various
guides on the net, created a bridge between eth1 (connected to lan) and
eth0 (connected to router). That works great.
I also managed to install squid, get it running transparently and added
a rule to iptables to make all that work just fine. So now, all my
clients attached to the lan run through the squid proxy without them
knowing.
Now, for the twist. For development and testing, I assigned an ip
address and gateway to the bridge. I need to be able for a "non-it"
person to install this box without having to set it up at all , so it
cannot have an ip address assigned, as it *may* be in use somewhere else
on the lan or router.
So, I changed the ip address to 0.0.0.0. Everything except squid still
worked. I presume that's because it does not know how to route the data
to get stuff.
Can I add a rule to iptables or something to say "anything that's come
from eth1 into the local box, after processing send to eth0" and
vice-versa ?
Julian.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bridge] transparent bridge and proxies
2006-08-24 17:31 [Bridge] transparent bridge and proxies Julian Lyndon-Smith
@ 2006-08-24 18:20 ` Marek Kierdelewicz
2006-08-24 20:17 ` Benny Amorsen
` (2 subsequent siblings)
3 siblings, 0 replies; 9+ messages in thread
From: Marek Kierdelewicz @ 2006-08-24 18:20 UTC (permalink / raw)
To: bridge
> Now, for the twist. For development and testing, I assigned an ip
> address and gateway to the bridge. I need to be able for a "non-it"
> person to install this box without having to set it up at all , so it
> cannot have an ip address assigned, as it *may* be in use somewhere
> else on the lan or router.
One sure and elegant solution is using dhcpcd for bridge adressing.
Unfortunately this requires dhcp server on the net. Dhcp would also
ensure ip clashes avoidance.
Loot at http://www.isc.org/index.pl?/sw/dhcp/.
> So, I changed the ip address to 0.0.0.0. Everything except squid
> still worked. I presume that's because it does not know how to route
> the data to get stuff.
I don't think you could make squid work without IP address assigned.
> Can I add a rule to iptables or something to say "anything that's
> come from eth1 into the local box, after processing send to eth0" and
> vice-versa ?
Squid needs dns access and needs to know where to direct it's
requests.
regards,
--
Marek Kierdelewicz
Kierownik Dzia?u Systemów Sieciowych, KoBa
Manager of Network Systems Department, KoBa
tel. (85) 7406466; fax. (85) 7406467
e-mail: admin@koba.pl
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bridge] transparent bridge and proxies
2006-08-24 17:31 [Bridge] transparent bridge and proxies Julian Lyndon-Smith
2006-08-24 18:20 ` Marek Kierdelewicz
@ 2006-08-24 20:17 ` Benny Amorsen
2006-08-24 22:42 ` Etienne Pretorius
2006-08-24 20:17 ` Melissa Meyer
2006-08-24 22:20 ` Marek Kierdelewicz
3 siblings, 1 reply; 9+ messages in thread
From: Benny Amorsen @ 2006-08-24 20:17 UTC (permalink / raw)
To: bridge
>>>>> "JL-S" == Julian Lyndon-Smith <asterisk@dotr.com> writes:
JL-S> So, I changed the ip address to 0.0.0.0. Everything except squid
JL-S> still worked. I presume that's because it does not know how to
JL-S> route the data to get stuff.
JL-S> Can I add a rule to iptables or something to say "anything
JL-S> that's come from eth1 into the local box, after processing send
JL-S> to eth0" and vice-versa ?
How about using 127.0.0.1 or something else on the local subnet?
iptables should be able to redirect to that.
I don't know how you'll get traffic from squid out of the box though.
If you know a way to make squid reuse the original clients address in
the outgoing connection, I'm all ears.
/Benny
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bridge] transparent bridge and proxies
2006-08-24 17:31 [Bridge] transparent bridge and proxies Julian Lyndon-Smith
2006-08-24 18:20 ` Marek Kierdelewicz
2006-08-24 20:17 ` Benny Amorsen
@ 2006-08-24 20:17 ` Melissa Meyer
2006-08-24 22:05 ` Julian Lyndon-Smith
2006-08-24 22:20 ` Marek Kierdelewicz
3 siblings, 1 reply; 9+ messages in thread
From: Melissa Meyer @ 2006-08-24 20:17 UTC (permalink / raw)
To: bridge
In the 2.6 kernel, there's an iptables module called physdev to match
the bridge's physical in and out devices so something like:
iptables -A FORWARD -m physdev -p tcp --dport 25
--physdev-in eth0 -j ACCEPT
to allow smtp traffic through.
Julian Lyndon-Smith wrote:
> I want to be able to install a box that is a transparent bridge, but
> that is also running a transparent proxy, but with a twist ..
>
> i am a newbie in all things linux, so bear with me :)
>
> So far I have managed to install centos 4.3, and following various
> guides on the net, created a bridge between eth1 (connected to lan) and
> eth0 (connected to router). That works great.
>
> I also managed to install squid, get it running transparently and added
> a rule to iptables to make all that work just fine. So now, all my
> clients attached to the lan run through the squid proxy without them
> knowing.
>
> Now, for the twist. For development and testing, I assigned an ip
> address and gateway to the bridge. I need to be able for a "non-it"
> person to install this box without having to set it up at all , so it
> cannot have an ip address assigned, as it *may* be in use somewhere else
> on the lan or router.
>
> So, I changed the ip address to 0.0.0.0. Everything except squid still
> worked. I presume that's because it does not know how to route the data
> to get stuff.
>
> Can I add a rule to iptables or something to say "anything that's come
> from eth1 into the local box, after processing send to eth0" and
> vice-versa ?
>
> Julian.
> _______________________________________________
> Bridge mailing list
> Bridge@lists.osdl.org
> https://lists.osdl.org/mailman/listinfo/bridge
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bridge] transparent bridge and proxies
2006-08-24 20:17 ` Melissa Meyer
@ 2006-08-24 22:05 ` Julian Lyndon-Smith
2006-08-24 22:34 ` Melissa Meyer
0 siblings, 1 reply; 9+ messages in thread
From: Julian Lyndon-Smith @ 2006-08-24 22:05 UTC (permalink / raw)
To: Melissa Meyer; +Cc: bridge
Thanks Melissa for responding
I was trying to play with physdev.
Ignoring all the inbound stuff, if I was on the console of this machine
(Mybox)
MyBox
+-----br0----+
| |
router<--->eth0+ +eth1<--->Lan
Where br0, eth0 and eth1 had no ip address, and I wanted to "yum update"
(which I presume uses port 80) what rules would I need to put in place
? I was looking for something to do with 127.0.0.1 (the lo interface)
and eth0.
If I got that to work, the squid proxy should automatically follow, no ?
Julian
Melissa Meyer wrote:
>
> In the 2.6 kernel, there's an iptables module called physdev to match
> the bridge's physical in and out devices so something like:
>
> iptables -A FORWARD -m physdev -p tcp --dport 25
> --physdev-in eth0 -j ACCEPT
>
> to allow smtp traffic through.
>
>
> Julian Lyndon-Smith wrote:
>> I want to be able to install a box that is a transparent bridge, but
>> that is also running a transparent proxy, but with a twist ..
>>
>> i am a newbie in all things linux, so bear with me :)
>>
>> So far I have managed to install centos 4.3, and following various
>> guides on the net, created a bridge between eth1 (connected to lan) and
>> eth0 (connected to router). That works great.
>>
>> I also managed to install squid, get it running transparently and added
>> a rule to iptables to make all that work just fine. So now, all my
>> clients attached to the lan run through the squid proxy without them
>> knowing.
>>
>> Now, for the twist. For development and testing, I assigned an ip
>> address and gateway to the bridge. I need to be able for a "non-it"
>> person to install this box without having to set it up at all , so it
>> cannot have an ip address assigned, as it *may* be in use somewhere else
>> on the lan or router.
>>
>> So, I changed the ip address to 0.0.0.0. Everything except squid still
>> worked. I presume that's because it does not know how to route the data
>> to get stuff.
>>
>> Can I add a rule to iptables or something to say "anything that's come
>> from eth1 into the local box, after processing send to eth0" and
>> vice-versa ?
>>
>> Julian.
>> _______________________________________________
>> Bridge mailing list
>> Bridge@lists.osdl.org
>> https://lists.osdl.org/mailman/listinfo/bridge
>>
> _______________________________________________
> Bridge mailing list
> Bridge@lists.osdl.org
> https://lists.osdl.org/mailman/listinfo/bridge
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bridge] transparent bridge and proxies
2006-08-24 17:31 [Bridge] transparent bridge and proxies Julian Lyndon-Smith
` (2 preceding siblings ...)
2006-08-24 20:17 ` Melissa Meyer
@ 2006-08-24 22:20 ` Marek Kierdelewicz
3 siblings, 0 replies; 9+ messages in thread
From: Marek Kierdelewicz @ 2006-08-24 22:20 UTC (permalink / raw)
To: bridge
> Now, for the twist. For development and testing, I assigned an ip
> address and gateway to the bridge. I need to be able for a "non-it"
> person to install this box without having to set it up at all , so it
> cannot have an ip address assigned, as it *may* be in use somewhere
> else on the lan or router.
One sure and elegant solution is using dhcpcd for bridge adressing.
Unfortunately this requires dhcp server on the net. Dhcp would also
ensure ip clashes avoidance.
Loot at http://www.isc.org/index.pl?/sw/dhcp/.
> So, I changed the ip address to 0.0.0.0. Everything except squid
> still worked. I presume that's because it does not know how to route
> the data to get stuff.
I don't think you could make squid work without IP address assigned.
> Can I add a rule to iptables or something to say "anything that's
> come from eth1 into the local box, after processing send to eth0" and
> vice-versa ?
Squid needs dns access and needs to know where to direct it's
requests.
regards,
--
Marek Kierdelewicz
Kierownik Dzia?u Systemów Sieciowych, KoBa
Manager of Network Systems Department, KoBa
tel. (85) 7406466; fax. (85) 7406467
e-mail: admin@koba.pl
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bridge] transparent bridge and proxies
2006-08-24 22:05 ` Julian Lyndon-Smith
@ 2006-08-24 22:34 ` Melissa Meyer
0 siblings, 0 replies; 9+ messages in thread
From: Melissa Meyer @ 2006-08-24 22:34 UTC (permalink / raw)
To: bridge
In that situation, I put a third nic on the box and gave it a real IP
address for management purposes (such as running yum). I'm not exactly
sure yum updates to the bridge itself will work without an IP adddress.
I think in the proxy situation, you might need to set up a prerouting
iptables rule that redirects the traffic to the squid port or something
similar?
Julian Lyndon-Smith wrote:
> Thanks Melissa for responding
>
> I was trying to play with physdev.
>
> Ignoring all the inbound stuff, if I was on the console of this
> machine (Mybox)
> MyBox
> +-----br0----+
> | |
> router<--->eth0+ +eth1<--->Lan
>
> Where br0, eth0 and eth1 had no ip address, and I wanted to "yum
> update" (which I presume uses port 80) what rules would I need to put
> in place ? I was looking for something to do with 127.0.0.1 (the lo
> interface) and eth0.
>
> If I got that to work, the squid proxy should automatically follow, no ?
>
> Julian
>
> Melissa Meyer wrote:
>>
>> In the 2.6 kernel, there's an iptables module called physdev to match
>> the bridge's physical in and out devices so something like:
>>
>> iptables -A FORWARD -m physdev -p tcp --dport 25
>> --physdev-in eth0 -j ACCEPT
>>
>> to allow smtp traffic through.
>>
>>
>> Julian Lyndon-Smith wrote:
>>> I want to be able to install a box that is a transparent bridge, but
>>> that is also running a transparent proxy, but with a twist ..
>>>
>>> i am a newbie in all things linux, so bear with me :)
>>>
>>> So far I have managed to install centos 4.3, and following various
>>> guides on the net, created a bridge between eth1 (connected to lan)
>>> and eth0 (connected to router). That works great.
>>>
>>> I also managed to install squid, get it running transparently and
>>> added a rule to iptables to make all that work just fine. So now,
>>> all my clients attached to the lan run through the squid proxy
>>> without them knowing.
>>>
>>> Now, for the twist. For development and testing, I assigned an ip
>>> address and gateway to the bridge. I need to be able for a "non-it"
>>> person to install this box without having to set it up at all , so
>>> it cannot have an ip address assigned, as it *may* be in use
>>> somewhere else on the lan or router.
>>>
>>> So, I changed the ip address to 0.0.0.0. Everything except squid
>>> still worked. I presume that's because it does not know how to route
>>> the data to get stuff.
>>>
>>> Can I add a rule to iptables or something to say "anything that's
>>> come from eth1 into the local box, after processing send to eth0"
>>> and vice-versa ?
>>>
>>> Julian.
>>> _______________________________________________
>>> Bridge mailing list
>>> Bridge@lists.osdl.org
>>> https://lists.osdl.org/mailman/listinfo/bridge
>>>
>> _______________________________________________
>> Bridge mailing list
>> Bridge@lists.osdl.org
>> https://lists.osdl.org/mailman/listinfo/bridge
>>
>>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bridge] transparent bridge and proxies
2006-08-24 20:17 ` Benny Amorsen
@ 2006-08-24 22:42 ` Etienne Pretorius
0 siblings, 0 replies; 9+ messages in thread
From: Etienne Pretorius @ 2006-08-24 22:42 UTC (permalink / raw)
To: bridge
[-- Attachment #1: Type: text/plain, Size: 1566 bytes --]
I am also all ears,
The transparent proxy without an IP address was my first attempt - but
then I succumbed to the pressures of a due date and just eventually
assigned an IP address to the bridged interfaces.
I suspect that it will have to be done with ip route 2 package - but
even the one-way NAT does not make your machine transparent as you need
to reply to ARP requests to allow the returning packet to find your
machine/application....
PS, could this list please add a reply-to field to just allow me to
reply to the list and not to the poster.... (so sorry Benny Amorsen for
the other email).
Kind Regards
Etienne
Benny Amorsen wrote:
>>>>>> "JL-S" == Julian Lyndon-Smith <asterisk@dotr.com> writes:
>>>>>>
>
> JL-S> So, I changed the ip address to 0.0.0.0. Everything except squid
> JL-S> still worked. I presume that's because it does not know how to
> JL-S> route the data to get stuff.
>
> JL-S> Can I add a rule to iptables or something to say "anything
> JL-S> that's come from eth1 into the local box, after processing send
> JL-S> to eth0" and vice-versa ?
>
> How about using 127.0.0.1 or something else on the local subnet?
> iptables should be able to redirect to that.
>
> I don't know how you'll get traffic from squid out of the box though.
> If you know a way to make squid reuse the original clients address in
> the outgoing connection, I'm all ears.
>
>
> /Benny
>
>
> _______________________________________________
> Bridge mailing list
> Bridge@lists.osdl.org
> https://lists.osdl.org/mailman/listinfo/bridge
>
[-- Attachment #2: Type: text/html, Size: 2445 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bridge] transparent bridge and proxies
@ 2006-08-25 10:53 Skept
0 siblings, 0 replies; 9+ messages in thread
From: Skept @ 2006-08-25 10:53 UTC (permalink / raw)
To: bridge
Julian,
I did not understand what you meant by this paragraph.
"Now, for the twist. For development and testing, I assigned an ip
address and gateway to the bridge. I need to be able for a "non-it"
person to install this box without having to set it up at all , so it
cannot have an ip address assigned, as it *may* be in use somewhere else
on the lan or router."
Did your bridge + transparent proxy work without you adding an ip[\and
route] to the bridge interface? I mean, before the "twist".
Skept
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2006-08-25 10:53 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-08-24 17:31 [Bridge] transparent bridge and proxies Julian Lyndon-Smith
2006-08-24 18:20 ` Marek Kierdelewicz
2006-08-24 20:17 ` Benny Amorsen
2006-08-24 22:42 ` Etienne Pretorius
2006-08-24 20:17 ` Melissa Meyer
2006-08-24 22:05 ` Julian Lyndon-Smith
2006-08-24 22:34 ` Melissa Meyer
2006-08-24 22:20 ` Marek Kierdelewicz
2006-08-25 10:53 Skept
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.