Bypassing EBTABLES Rules
-
Hello Masters,
My pfSense 1.2.2 is performing very well as expected, with WAN Load Balancing fully functional.
However, to avoid the conflicts with load balancing and web caching, I set up squid on a separate box, It's installed on Debian Lenny, Squid Cache: Version 2.7.STABLE3, bridge mode.LAN –> SQUID BOX --> pfSense 1.2.2 (with WLB) --> ISP (2x)
BUT four of my client should bypass squid due to site restrictions i.e, they can't login to some site if they're being cached, "acl no_cache_sites dstdomain" didn't help. I have EBTABLES installed on lenny, here's the rule:
ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 -j REDIRECT --to-port 3128
Is there a way to let my clients bypass this rule?
How can I edit the rule if let's say i want my client to bypass the proxy if the destination url is www.yahoo.com?Inserting this rule in between didn't help:
iptables -t nat -A PREROUTING -i br0 -d www.yahoo.com -j ACCEPT
I don't know much about IPTABLES and EBTABLES but for the gurus of our
forum this is just a popcorn :D
I know this is not of pfSense but I'm a little bit desperate.
Thanks Masters. -
Any idea?
Anybody?
Please… :'( -
First of all: pfSense uses pf to filter packet and not iptables.
Search for the man pages of "pf" and the forum for similar examples.
-
First of all: pfSense use pf to filter packet and not iptables.
Search for the man pages of "pf" and the forum for similar examples.
Thanks GruensFroeschli '
the rule is on the squid box, not pfsense.
the squid box is in bridged mode and the EBTABLES
rule catches all the request.
My goal is to bypass the ebtables rule IF the request url is let's say www.yahoo.comthanks again
-
Given that EBTables is running on your Squid host and they take effect before the packets reach Squid, there's nothing pfSense can do about this. You can only solve this by either:
-
Configuring ebtables to not redirect for certain MAC addresses
-
Configure those hosts with a different route
-
-
@Cry:
Given that EBTables is running on your Squid host and they take effect before the packets reach Squid, there's nothing pfSense can do about this. You can only solve this by either:
-
Configuring ebtables to not redirect for certain MAC addresses
-
Configure those hosts with a different route
Yes, there's nothing pfSense can do about this.
Please give some example on how to do it,
This is exactly what I want to do:Confige ebtables to not redirect for certain MAC addresses and
Configure those hosts with a different routeThank you Cry Havok
-
-
-
Here is a simple example that will make all IP traffic entering a (forwarding) bridge port be routed instead of bridged (suppose eth0 is a port of the bridge br0): ebtables -t broute -A BROUTING -i eth0 -p ipv4 -j redirect --redirect-target DROP As mentioned in the man pages, the DROP target in the BROUTING chain actually broutes the frame. The redirect target will trick the network code to think the packet was originally destined for the box.Now this does'nt work:
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-destination <url here="">-j redirect --redirect-target DROP ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128</url>I know i am missing something here,
Please share your ideas. :'( -
My idea is that you ask EBTables questions on the EBTables mailing lists ;)
Seriously, you're asking about a Linux specific tool on a forum regarding a custom FreeBSD platform. While you'll get some help, it's about as much sense as asking your optician for advice on stomach pains.
