Problem with return packets from proxy
We are running a transparent bridge on an RH7.3 machine with Linux 2.4.21 using brctl. It works fine.
I want to add a transparent proxy to block certain browsers from going to certain sites. It looked like HTTP::Proxy in Perl would work (well, it does, if I can get it to run transparently, either directly or with tproxy).
Getting Squid to work transparently seemed a
good first step.
I initially followed the recipe in
and then the recipe above.
I tried squid-2.4.STABLE6 from rpm, and also
built squid-2.5.STABLE9 with --enable-linux-netfilter
Squid works OK.
Capturing packets works OK in UDP - I can capture
all traffic to my test port with "nc -u -l -p 9000" on
the bridge. But in TCP the replies get lost.
If Squid is not running, I get "connection refused".
If it's running, the browser (telnet for testing) hangs
and I see a TCP reset on the target host apparently
coming from the client.
Initially I just had
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 9000 \
-j REDIRECT --to-port 3128
but then tried adding
echo 1 > /proc/sys/net/ipv4/ip_forward
ifup eth0 promisc ; ifup eth1 promisc
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 9000 -j redirect --redirect-target ACCEPT
iptables -A INPUT -i br0 -p tcp -d bridge-ip -s 127.0.0.1 \
--dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
none of which made any difference
It seems like I am missing something, but what ?