Possible for linux bridge to intercept traffic?
- by A G
I have a linux machine setup as a bridge between a client and a server;
brctl addbr0
brctl addif br0 eth1
brctl addif br0 eth2
ifconfig eth1 0.0.0.0
ifconfig eth2 0.0.0.0
ip link set br0 up
I also have an application listening on port 8080 of this machine.
Is it possible to have traffic destined for port 80 to be passed to my application?
I have done some research and it looks like it could be done using ebtables and iptables.
Here is the rest of my setup:
//set the ebtables to pass this traffic up to ip for processing; DROP on the broute table should do this
ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
//set iptables to forward this traffic to my app listening on port 8080
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port 8080 --tproxy-mark 1/1
iptables -t mangle -A PREROUTING -p tcp -j MARK --set-mark 1/1
//once the flows are marked, have them delivered locally via loopback interface
ip rule add fwmark 1/1 table 1
ip route add local 0.0.0.0/0 dev lo table 1
//enable ip packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
However nothing is coming into my application. Am I missing anything? My understanding is that the target DROP on the broute BROUTING chain will push it up to be processed by iptables.
Secondly, are there any other alternatives I should investigate?
Edit: IPtables gets it at nat PREROUTING, but it looks like it drops after that; the INPUT chain (in either mangle or filter) doesn't see the packet.
