Proxy over bridge

Juan_Rodriguez (Juan Rodríguez) 2017-11-09 12:24:22 UTC #1

Hi, when I configure nethserver in bridge mode, the packets stop going through the proxy.
Is it possible to use this configuration?
eth1 and eth2 in bridge mode (br0) and the active proxy, or it is necessary to install ebtables or similar.

A greeting.

filippo_carletti (Filippo Carletti) 2017-11-09 13:29:58 UTC #2

I never tried a setup like yours, but looking at this guide (http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables) I think that the only configuration missing in NethServer is this line:

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
        --ip-destination-port 80 -j redirect --redirect-target ACCEPT

Could you try adding it and report if it works as you expect?

Juan_Rodriguez (Juan Rodríguez) 2017-11-11 10:53:45 UTC #3

Hello, thanks for the answer.
I have tried the configuration (including a redirection to port 443) and everything works perfectly. I have checked the reports of lightsquid, the antivirus etc … and everything ok.

Thank you

filippo_carletti (Filippo Carletti) 2017-11-11 14:44:04 UTC #4

Thank you for the feedback. Now we should plan if and how to implement this new feature. Any suggestion?
A simple custom template?
A switch in the proxy page?

mrmarkuz (Markus Neuberger) 2017-11-11 18:55:32 UTC #5

I wondered if the ebtables lines could be setup automatically like if there are two bridged interaces and web proxy activated. But I think it’s not possible because NethServer is very flexible with bridging and networking, so autodetecting bridge mode will not work.

On some other firewalls bridge(transparent) or routing(NAT) mode is a very basic setting. I changed a FortiGate last week from transparent to NAT mode and it kicked away some interface, policy and rule settings. They seem to set up on the mode.

I really like bridge mode setup possibility, because one may use Nethserver as a firewall without changing other network devices but I searched the forum and did not find much threads about bridged mode so maybe a custom template is enough for now?

If not I’d like an option in advanced options so sysadmins are warned that it’s an “I know what I do” option. It may be greyed out until two interfaces in a bridge exist.

Besides I don’t know if we will need some special vpn configs if using bridged mode.

Juan_Rodriguez (Juan Rodríguez) 2017-11-12 16:31:57 UTC #6

Hello again.
According to the tests I have done, ebtables does not affect the operation of the network when it is in routing mode. If the redirect is loaded with ebtables but the network is configured as green and red (that is, with routing), it continues to function correctly.
I summarize my configuration:
Two network cards: One connected to the router (red) and another connected to the local network (green)
The proxy configured in transparent mode with SSL.
Redirection ebtables configured on port 80 and 443.
The network configured both as routed and in bridge mode.
In both cases it works correctly (no need to delete the ebtables routing in any case).
In the absence of further testing (my test network is limited, only two computers in the green zone and limited access to the main router, about 30 MB.) I can not measure if there is a drop in performance, but functionally it works correctly.
I think the easiest option is to add the redirect with ebtables regardless of whether it has been configured as bridge or as a router, with no options visible to the user.
The use I want to give is to use it as an UTM system that can be installed in an existing network without having to touch anything on the network, simply place it in front of the router (s). I will try to test it in a more complex network.
Excuse my English, if something is not clear, please indicate it and I will try to clarify it.

A greeting.

Juan_Rodriguez (Juan Rodríguez) 2017-11-12 16:35:50 UTC #7

A question.
ebtables-save does not work, every time I reboot the system I have to re-execute the commands. Is there any “official” way to add this configuration to the beginning or add them as a separate script in init.d?

Again, a greeting.

filippo_carletti (Filippo Carletti) 2017-11-12 17:39:30 UTC #8

Not sure there’s a better place, but you may write the above line in
/etc/shorewall/start
or
/etc/shorewall/started