Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bypassing EBTABLES Rules

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    9 Posts 3 Posters 9.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      smith02
      last edited by

      Hello Masters,

      My pfSense 1.2.2 is performing very well as expected, with WAN Load Balancing fully functional.
      However, to avoid the conflicts with load balancing and web caching, I set up squid on a separate box, It's installed on Debian Lenny, Squid Cache: Version 2.7.STABLE3, bridge mode.

      LAN –> SQUID BOX --> pfSense 1.2.2 (with WLB) --> ISP (2x)

      BUT four of my client should bypass squid due to site restrictions i.e, they can't login to some site if they're being cached, "acl no_cache_sites dstdomain" didn't help. I have EBTABLES installed on lenny, here's the rule:

      ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT

      iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 -j REDIRECT --to-port 3128

      Is there a way to let my clients bypass this rule?
      How can I edit the rule if let's say i want my client to bypass the proxy if the destination url is www.yahoo.com?

      Inserting this rule in between didn't help:

      iptables -t nat -A PREROUTING -i br0 -d www.yahoo.com -j ACCEPT

      I don't know much about IPTABLES and EBTABLES but for the gurus of our
      forum this is just a popcorn  :D
      I know this is not of pfSense but I'm a little bit desperate.
      Thanks Masters.

      1 Reply Last reply Reply Quote 0
      • S
        smith02
        last edited by

        Any idea?
        Anybody?
        Please… :'(

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          First of all: pfSense uses pf to filter packet and not iptables.

          Search for the man pages of "pf" and the forum for similar examples.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • S
            smith02
            last edited by

            @GruensFroeschli:

            First of all: pfSense use pf to filter packet and not iptables.

            Search for the man pages of "pf" and the forum for similar examples.

            Thanks GruensFroeschli '
            the rule is on the squid box, not pfsense.
            the squid box is in bridged mode and the EBTABLES
            rule catches all the request.
            My goal is to bypass the ebtables rule IF the request url is let's say www.yahoo.com

            thanks again

            1 Reply Last reply Reply Quote 0
            • Cry HavokC
              Cry Havok
              last edited by

              Given that EBTables is running on your Squid host and they take effect before the packets reach Squid, there's nothing pfSense can do about this.  You can only solve this by either:

              1. Configuring ebtables to not redirect for certain MAC addresses

              2. Configure those hosts with a different route

              1 Reply Last reply Reply Quote 0
              • S
                smith02
                last edited by

                @Cry:

                Given that EBTables is running on your Squid host and they take effect before the packets reach Squid, there's nothing pfSense can do about this.   You can only solve this by either:

                1. Configuring ebtables to not redirect for certain MAC addresses

                2. Configure those hosts with a different route

                Yes, there's nothing pfSense can do about this.
                Please give some example on how to do it,
                This is exactly what I want to do:

                Confige ebtables to not redirect for certain MAC addresses and
                Configure those hosts with a different route

                Thank you Cry Havok

                1 Reply Last reply Reply Quote 0
                • Cry HavokC
                  Cry Havok
                  last edited by

                  The documentation for EBTables is here and their mailing lists are here.

                  1 Reply Last reply Reply Quote 0
                  • S
                    smith02
                    last edited by

                    Here is a simple example that will make all IP 
                    traffic entering a (forwarding) bridge port be routed instead 
                    of bridged (suppose eth0 is a port of the bridge br0):
                    
                    ebtables -t broute -A BROUTING -i eth0 -p ipv4 -j redirect --redirect-target DROP
                    
                    As mentioned in the man pages, the DROP target in the 
                    BROUTING chain actually broutes the frame. The redirect 
                    target will trick the network code to think the packet was 
                    originally destined for the box. 
                    

                    Now this does'nt work:

                    ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-destination <url here="">-j redirect --redirect-target DROP
                    ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
                    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128</url> 
                    

                    I know i am missing something here,
                    Please share your ideas.  :'(

                    1 Reply Last reply Reply Quote 0
                    • Cry HavokC
                      Cry Havok
                      last edited by

                      My idea is that you ask EBTables questions on the EBTables mailing lists ;)

                      Seriously, you're asking about a Linux specific tool on a forum regarding a custom FreeBSD platform.  While you'll get some help, it's about as much sense as asking your optician for advice on stomach pains.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.