transparent proxy bridge not work

archladyQ · 2023-07-24 09:38:46

I want to set up a transparent proxy bridge on archlinux. After some configuration, the bridge works fine, but the traffic doesn't go through the proxy server. I don't know where the problem is. Can you please help and give some advice?
The squid proxy is running in tcp port 3128.
Thanks!

#!/bin/bash

# Set the proxy port (adjust as needed)
proxy_port="3128"

# Set the names of the internal and external network interfaces
internal_interface="eth0"
external_interface="eth1"

# Clear existing network configurations for the internal and external interfaces
ip link set dev $internal_interface down
ip addr flush dev $internal_interface
ip link set dev $internal_interface up

ip link set dev $external_interface down
ip addr flush dev $external_interface
ip link set dev $external_interface up

# Check if a bridge with the same name exists, and delete it if it does
bridge="br0"
if ip link show $bridge &> /dev/null; then
    echo "Deleting existing bridge: $bridge"
    ip link set dev $bridge down
    brctl delbr $bridge
fi

# Create and bind the bridge with the internal and external interfaces
brctl addbr $bridge
brctl addif $bridge $internal_interface
brctl addif $bridge $external_interface

# Enable the bridge interface
ip link set dev $bridge up

# Enable IP forwarding
sysctl net.ipv4.ip_forward=1

# Clear the nat table rules
iptables -t nat -F

# Use iptables rules to implement transparent proxying, redirecting all TCP traffic to the proxy port
if ! iptables -t nat -C PREROUTING -i $internal_interface -p tcp --dport 80 -j REDIRECT --to-ports $proxy_port &> /dev/null; then
    iptables -t nat -A PREROUTING -i $internal_interface -p tcp --dport 80 -j REDIRECT --to-ports $proxy_port
fi

if ! iptables -t nat -C PREROUTING -i $internal_interface -p tcp --dport 443 -j REDIRECT --to-ports $proxy_port &> /dev/null; then
    iptables -t nat -A PREROUTING -i $internal_interface -p tcp --dport 443 -j REDIRECT --to-ports $proxy_port
fi

# Save the iptables rules
iptables-save | tee /etc/iptables/iptables.rules

-thc · 2023-07-24 14:04:10

You try to combine bridging (OSI level 2) and IP-based port redirection (OSI level 3).

The bridge forwards all packets on a lower level than the IP stack - the packets will never reach the PREROUTING chain.

You have to combine IP routing (OSI level 3 via SNAT/DNAT/MASQUERADE) and a transparent proxy
- or -
use "ebtables" for bridge filtering. Bridge filtering is AFAIK unable to redirect to different ports (only to different addresses).

Arch Linux

#1 2023-07-24 09:38:46

transparent proxy bridge not work

#2 2023-07-24 14:04:10

Re: transparent proxy bridge not work

Board footer