Search squid archive

Re: squid tproxy in ipv6 enviroment.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




W dniu 26-Jun-12 12:08, Pawel Mojski pisze:


v6priv linux # ebtables -t broute -A BROUTING -i eth0 -p ipv6 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP
For IP filtering the protocol must be specified as IPv4.


Ok, I've found my mistake. I should use --ip6-proto and --ip6-sport.
But, now all commands are accepter but traffic could not work.
I suppose it might be rp_filter configuration but I can not find any rp_filter switch for ipv6.
Is rp_filter for ipv6 is enabled or disabled per default?

Here is my configuration:
#!/bin/sh
PATH=$PATH:/sbin

LAN="eth1"
WAN="eth0"
ip6tables -t mangle -F
ip6tables -t mangle -X

ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

ebtables -t broute -F
ebtables -t broute -A BROUTING -i $LAN -p ipv6 --ip6-proto tcp --ip6-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i $WAN -p ipv6 --ip6-proto tcp --ip6-sport 80 -j redirect --redirect-target DROP

After running this, no traffic to port 80 is accepted.

Here are ip6tables stats:
v6priv ~ # ip6tables -t mangle -vL
Chain PREROUTING (policy ACCEPT 27 packets, 1944 bytes)
 pkts bytes target     prot opt in     out     source destination
0 0 DIVERT tcp any any anywhere anywhere socket 52 4160 TPROXY tcp any any anywhere anywhere tcp dpt:http TPROXY redirect :::3129 mark 0x1/0x1

Chain INPUT (policy ACCEPT 27 packets, 1944 bytes)
 pkts bytes target     prot opt in     out     source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source destination

Chain DIVERT (1 references)
 pkts bytes target     prot opt in     out     source destination
0 0 MARK all any any anywhere anywhere MARK set 0x1
    0     0 ACCEPT     all      any    any     anywhere anywhere




Regards;
Pawel Mojski


[Linux Audio Users]     [Photo]     [Yosemite News]     [Samba]     [Video Projectors]     [Video Devices]     [Big List of Linux Books]     [LCD TVs]     [Webcams]     [Linux USB]

  Powered by Linux