Proxying Web Traffic On A Linux Bridge Server

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.


This example outlines how to configure a Linux bridge to policy route traffic (web in this instance) towards a Squid proxy.

Please realize this just gets the packets out of the bridge mode (OSI model layer 2 packet handling) into the machines packet routing system (layer 3); you also have to configure routing (layer 3) and interception (layer 4) on the machine to divert traffic to the Squid TCP port!


Various networks are using bridge devices as gateways and wish to implement transparent caching or content filtering.

ebtables DROP vs iptables DROP

In iptables which in most cases is being used to filter network traffic the DROP target means "packet disapear".

In ebtables a "-j redirect --redirect-target DROP" means "packet be gone from the bridge into the upper layers of the kernel such as routing\forwarding"

Since the ebtables works in the link layer of the connection in order to intercept the connection we must "redirect" the traffic to the level which iptables will be able to intercept\tproxy.

A picture of the netfilter flow to illustrate:

netfilter packet flow illustration

ebtables Configuration Rules

Bridging configuration in Linux is done with the ebtables utility.

You also need to follow all the steps for setting up the Squid box as a router device. These bridging rules are additional steps to move packets from bridging mode to routing mode:

## interface facing clients

## interface facing Internet

ebtables -t broute -A BROUTING \
        -i $CLIENT_IFACE -p ipv6 --ip6-proto tcp --ip6-dport 80 \
        -j redirect --redirect-target DROP

ebtables -t broute -A BROUTING \
        -i $CLIENT_IFACE -p ipv4 --ip-proto tcp --ip-dport 80 \
        -j redirect --redirect-target DROP

ebtables -t broute -A BROUTING \
        -i $INET_IFACE -p ipv6 --ip6-proto tcp --ip6-sport 80 \
        -j redirect --redirect-target DROP

ebtables -t broute -A BROUTING \
        -i $INET_IFACE -p ipv4 --ip-proto tcp --ip-sport 80 \
        -j redirect --redirect-target DROP

if test -d /proc/sys/net/bridge/ ; then
  for i in /proc/sys/net/bridge/*
    echo 0 > $i
  unset i
  • /!\ The bridge interfaces also need to be configured with public IP addresses for Squid to use in its normal operating traffic (DNS, ICMP, TPROXY failed requests, peer requests, etc)


ConfigExamples/Intercept/LinuxBridge (last edited 2017-01-14 05:11:23 by AmosJeffries)