Re: [squid-users] Ready for the funny farm

In a stock Linux-2.4 kernel bridged packets is not normally seen by
netfilter/iptables. This is because the bridge operates at Ethernet
level, while netfilter/iptables operate at the IP level which is higher
up in the networking code. Because of this netfilter/iptables normally
sees traffic actually directed to this box, including packets routed via
the box, but not bridged packets.

Only if your kernel is built with support for netfilter/iptables
firewalling of bridged traffic can iptables be used to intercept bridged
traffic without taking special actions.

There is currently two methods of enabling interception in a Linux
bridge:

 a) Use the netfilter bridge integration patches, and have the suitable
kernel option enabled when the kernel is built.

 b) Use the divert module.

I think the normal RedHat kernels have the divert module enabled, but
not the bridge netfilter/iptables integration. See the documentation on
divert for instructions how to tell the divert module to divert then
needed packets to the local host instead of bridgeing so they can be
intercepted by your iptables rule.

Another option is to use proxy-arp instead of bridgeing. Technically
this will make the traffic routed, not bridged, and iptables will
function fine just as in any other router. The use of proxy-arp is in my
opinion a more stable solution than bridgeing when applying
firewalling/interception in the middle of an existing network without
address reassignment, but may require a little more configuration to
tell the proxy-arp gateway how your network should be divided (you need
a list of local network addresses on at least one side of the gateway,
it can't automatically learn like a bridge).

Regards
Henrik

mån 2003-04-07 klockan 16.13 skrev Lincoln Rutledge:
> Henrik,
>
> Thanks for your response. I guess I could've been more descriptive, but
> I was heavily frustrated at the time...

> The problem, I believe, is that squid is running fine and that my bridge
> is running fine, but port 80 traffic is not being redirected to squid.
>
> I am using the stock RH 8 kernel.
>
> I will recompile with the appropriate settings from the HOWTO. I was
> trying to compile a 2.5.x kernel without success, and forgot to go back
> and try a 2.4.x.
>
> Thanks for the pointer,
>
> Lincoln
>
> Henrik Nordstrom wrote:
> > Next time please describe your problem instead of sending a huge dump of
> > all kinds of information..
> >
> > First question: Have you enabled netfilter integration in the bridge
> > kernel? (kernel compiletime option).
> >
> > Regards
> > Henrik
> >
> >

-- 
Free Squid-users support provided by Henrik Nordström <hno@squid-cache.org>
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com