Hi
--- On Tue, 10/27/09, Amos Jeffries <squid3@treenet.co.nz> wrote:
> From: Amos Jeffries <squid3@treenet.co.nz>
> Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki
> To: "Marko Kotar" <kotarmarko@yahoo.com>
> Cc: squid-users@squid-cache.org
> Date: Tuesday, October 27, 2009, 11:32 PM
> On Tue, 27 Oct 2009 11:50:56 -0700
> (PDT), Marko Kotar
> <kotarmarko@yahoo.com>
> wrote:
> > Hi,
> > You have incorrect commands in squid wiki for tproxy4
> ebtables:
> > I figure out that it is not "--redirect-target DROP"
> but it is
> > "--redirect-target ACCEPT" .
>
> um, thats not what the kernel people, TPROXY authors, and
> other testers
> tell
> me.
>
> This explains the DROP if you are interested in the fine
> details...
> https://lists.balabit.hu/pipermail/tproxy/2007-August/000448.html
>
> Digging back I see there was some /proc updates that got
> omitted from the
> wiki. Do these make a difference for you?
>
> cd /proc/sys/net/bridge/
> for i in *
> do
> echo 0 > $i
> done
> unset i
>
> (http://www.mail-archive.com/squid-users@squid-cache.org/msg65318.html)
Well the fact is it simply doesn't work if I use DROP(connection doesn't even get through).
If i don't use any of ebtables' rules, connection is forwarded by bridge
but only if squid is listening on port.
If i use ACCEPT connection gets through the squid.
There was also some How to or something like that from earlier TPROXY versions having ACCEPT.
I think https://lists.balabit.hu/pipermail/tproxy/2007-August/000448.html is something completely different as what it is explained in the your guide.
I think this is the right solution to bridge problem. Because there are arp reply's with mac addresse of machine with TPROXY and not the actual machines behind.
This solution isn't bridge at all. All the traffic is routed except ARP replys and ARP requests.
My solution can make confusion about which IP has which MAC address. So it does both a little of bridging and routing. All it depends on how devices connected to this weird bridge are caching MAC addresses.
I will run some tests tomorrow and try to comfirm there are actualy two mac addresses with same ip.
>
> > There is a "-j REDIRECT" which should be in lowercase
> letters "-j
> > redirect".
>
> Oops. Thanks for that.
>
>
> Amos
>
Good night
Received on Tue Oct 27 2009 - 23:48:09 MDT
This archive was generated by hypermail 2.2.0 : Wed Oct 28 2009 - 12:00:03 MDT