Check that the userspace application enables IP_TRANSPARENT on the listening socket. You can do that via strace.

Tproxy will only match listener sockets with that flag set.
--
Bazsi

On May 20, 2014 6:11:00 PM CEST, Tiago <sytker@gmail.com> wrote:

Hello,

Usage: Apache Trafficserver (web cache) fully transparent using tproxy

OS: Ubuntu 12.04


I’m trying to setup this:

My Router / firewall which has:

- port 23 (customer network, which has gateway x.x.x.x) 

- port2 (traffic server cache, which has IP y.y.y.y and bound to 8080 port).

PS: The web cache has only one ethernet interface (eth2).

- ISPs (internet links) connected to the router.


My router has:

1) Policy routes in place redirecting all requests from customer network with destination port 80 via port2 to apache traffic server.

2) Policy routes in place redirecting all answers from ISPs (from source port 80) via port2 to apache traffic server.

When a customer access any website, those packets are being sent to the web cache. But nothing else happens (except timeout).

My modules:

lsmod

Module                  Size    Used by

nf_nat                 25891  2 ipt_REDIRECT,iptable_nat

nf_conntrack_ipv4      19716  3 iptable_nat,nf_nat

nf_conntrack           81926  3 iptable_nat,nf_nat,nf_conntrack_ipv4

iptable_filter         12810  0 

xt_tcpudp              12603  1 

xt_TPROXY              12853  0 

nf_tproxy_core         12610  1 xt_TPROXY,[permanent]

xt_socket              12715  0 

nf_defrag_ipv4         12729  3 nf_conntrack_ipv4,xt_TPROXY,xt_socket

ip6_tables             27864  2 xt_TPROXY,xt_socket

nf_defrag_ipv6         13368  2 xt_TPROXY,xt_socket

xt_mark                12563  2 

iptable_mangle         12734  1 

ip_tables              27473  3 iptable_nat,iptable_filter,iptable_mangle

x_tables               29846  10 ipt_REDIRECT,iptable_nat,iptable_filter,xt_tcpudp,xt_TPROXY,xt_socket,ip6_tables,xt_mark,iptable_mangle,ip_tables

btrfs                 652957  0 


Linux options:

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter

echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp


Iptables Rules:

iptables -t mangle -N DIVERT

iptables -t mangle -A DIVERT -j MARK --set-mark 1

iptables -t mangle -A DIVERT -j ACCEPT

iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8080

ip rule add fwmark 1 lookup 100

ip route add local 0.0.0.0/0 dev lo table 100


Apache traffic server debug when trying to access www.inter.com.ve:

tcpdump -ni eth2 host 200.8.57.5

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes

03:48:27.880413 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903707860 ecr 0,sackOK,eol], length 0

03:48:28.882079 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903708860 ecr 0,sackOK,eol], length 0

03:48:29.885816 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903709861 ecr 0,sackOK,eol], length 0

03:48:30.991950 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903710959 ecr 0,sackOK,eol], length 0

03:48:32.000267 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903711960 ecr 0,sackOK,eol], length 0

03:48:33.105923 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903713058 ecr 0,sackOK,eol], length 0

03:48:35.117941 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903715059 ecr 0,sackOK,eol], length 0

03:48:39.638357 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,sackOK,eol], length 0

03:48:48.030197 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,sackOK,eol], length 0

^C

9 packets captured

9 packets received by filter

0 packets dropped by kernel

Debug when trying:

telnet www.inter.com.ve 80

Trying 200.8.57.5...

Its not responding to syn packets, but I'm lost what I need to do to fix this.

About trafficserver, I'm using their guide http://docs.trafficserver.apache.org/en/latest/admin/transparent-proxy/router-inline.en.html

Any help?

Thank you


tproxy mailing list
tproxy@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy