Re: Bypassing TPROXY bridge intercept.
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
On 04.07.2012 12:49, Daryl Radivojevic wrote:
Hi all, I have a question about bypassing TProxy intercept. I am using http://wiki.squid-cache.org/Features/Tproxy4 for transparent interception of SSL traffic. It works fine. During operation of the tproxy interception, some sites that users connect to like banking when discovered are placed in the ebtables BROUTE table before the DROP rules (as explained in the Tproxy4 document) like this: # ebtables -t broute -L-p IPv4 --ip-src 18.104.22.168 --ip-proto tcp --ip-sport 443 -j ACCEPT -p IPv4 --ip-dst 22.214.171.124 --ip-proto tcp --ip-dport 443 -j ACCEPTetc. This all works fine. My concern is when there is a huge amount of such destinations. Is there a wayto put these tproxy bypass exceptions in its own separate table and how?My other question is how to prevent the existing chain counters being zeroed when and new destination is added to the chain?
I'll leave someone more familiar with ebtables to answer those specific questions.
At worst, there is also the option of iptables chains with an ipset rule bypassing the -j TPROXY target rule. This just means routing those packets instead of bridging. The resulting asymmetrical route path does not matter for these packets.
AYJ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html