From: "Henrik Nordstrom" <henrik@henriknordstrom.net>
>> Can I simulate a level 4 switch behaviour using Linux ? If yes,
>> any insight to the necessary ebtables/iptables rules ?
>
>Linux policy routing is an example of "layer 4".
I am wondering if this setup shall be a reason representation of a so-called
level 4 bridge. This configuration works under both 'tproxy transparent'
as well as 'transparent' mode for squid 2.6 stable 13.
Assuming :-
NETMASK=255.255.192.0
SQUID_IP=192.168.128.50
L4_SWITCH_IP=192.168.128.51
INTERNET_GW=192.168.128.1
1. On the L4 switch create bridge br0 consisting of 3 ethernet interfaces.
eth1 is connected to internet
eth0 is connected to inside network
eth2 is connected to squid
# ifconfig eth0 0.0.0.0 promisc up
# ifconfig eth1 0.0.0.0 promisc up
# ifconfig eth2 0.0.0.0 promisc up
# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# brctl addif br0 eth2
# ifconfig br0 $L4_SWITCH_IP netmask $NETMASK up
2. Set up the bridge to mark the packets so that policy routing works :-
from inside network go to internet destination port 80, mark 1.
from internet come back with source port 80, mark 1 as well.
# ebtables -t broute -A BROUTING -i eth0 -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target DROP
# iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 \
-j MARK --set-mark 1
#ebtables -t broute -A BROUTING -i eth1 -p IPv4 --ip-protocol 6 \
--ip-source-port 80 -j redirect --redirect-target DROP
# iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 80 \
-j MARK --set-mark 1
3. Set up additional routing table and ip rule :-
# echo '100 one' > /etc/iproute2/rt_tables
# ip rule add fwmark 1 lookup one
# ip route add default via $SQUID_IP table one
( routing table 'one' need only to have one line, ie the default route,
local interface routes will interfere with tproxy )
# ip route add default via $INTERNET_GW table main
Regards.
Received on Thu Jul 19 2007 - 03:17:22 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:03 MDT