tproxy ubuntu 12.04 and apache trafficserver help
Hello, Usage: Apache Trafficserver (web cache) fully transparent using tproxy OS: Ubuntu 12.04 I’m trying to setup this: My Router / firewall which has: - port 23 (customer network, which has gateway x.x.x.x) - port2 (traffic server cache, which has IP y.y.y.y and bound to 8080 port). PS: The web cache has only one ethernet interface (eth2). - ISPs (internet links) connected to the router. My router has: 1) Policy routes in place redirecting all requests from customer network with destination port 80 via port2 to apache traffic server. 2) Policy routes in place redirecting all answers from ISPs (from source port 80) via port2 to apache traffic server. When a customer access any website, those packets are being sent to the web cache. But nothing else happens (except timeout). My modules: lsmod Module Size Used by nf_nat 25891 2 ipt_REDIRECT,iptable_nat nf_conntrack_ipv4 19716 3 iptable_nat,nf_nat nf_conntrack 81926 3 iptable_nat,nf_nat,nf_conntrack_ipv4 iptable_filter 12810 0 xt_tcpudp 12603 1 xt_TPROXY 12853 0 nf_tproxy_core 12610 1 xt_TPROXY,[permanent] xt_socket 12715 0 nf_defrag_ipv4 12729 3 nf_conntrack_ipv4,xt_TPROXY,xt_socket ip6_tables 27864 2 xt_TPROXY,xt_socket nf_defrag_ipv6 13368 2 xt_TPROXY,xt_socket xt_mark 12563 2 iptable_mangle 12734 1 ip_tables 27473 3 iptable_nat,iptable_filter,iptable_mangle x_tables 29846 10 ipt_REDIRECT,iptable_nat,iptable_filter,xt_tcpudp,xt_TPROXY,xt_socket,ip6_tables,xt_mark,iptable_mangle,ip_tables btrfs 652957 0 Linux options: echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp Iptables Rules: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8080 ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 Apache traffic server debug when trying to access www.inter.com.ve: tcpdump -ni eth2 host 200.8.57.5 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes 03:48:27.880413 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903707860 ecr 0,sackOK,eol], length 0 03:48:28.882079 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903708860 ecr 0,sackOK,eol], length 0 03:48:29.885816 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903709861 ecr 0,sackOK,eol], length 0 03:48:30.991950 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903710959 ecr 0,sackOK,eol], length 0 03:48:32.000267 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903711960 ecr 0,sackOK,eol], length 0 03:48:33.105923 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903713058 ecr 0,sackOK,eol], length 0 03:48:35.117941 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903715059 ecr 0,sackOK,eol], length 0 03:48:39.638357 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,sackOK,eol], length 0 03:48:48.030197 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,sackOK,eol], length 0 ^C 9 packets captured 9 packets received by filter 0 packets dropped by kernel Debug when trying: telnet www.inter.com.ve 80 Trying 200.8.57.5... Its not responding to syn packets, but I'm lost what I need to do to fix this. About trafficserver, I'm using their guide http://docs.trafficserver.apache.org/en/latest/admin/transparent-proxy/route... Any help? Thank you
Check that the userspace application enables IP_TRANSPARENT on the listening socket. You can do that via strace. Tproxy will only match listener sockets with that flag set. -- Bazsi On May 20, 2014 6:11:00 PM CEST, Tiago <sytker@gmail.com> wrote:
Hello,
Usage: Apache Trafficserver (web cache) fully transparent using tproxy
OS: Ubuntu 12.04
I’m trying to setup this:
My Router / firewall which has:
- port 23 (customer network, which has gateway x.x.x.x)
- port2 (traffic server cache, which has IP y.y.y.y and bound to 8080 port).
PS: The web cache has only one ethernet interface (eth2).
- ISPs (internet links) connected to the router.
My router has:
1) Policy routes in place redirecting all requests from customer network with destination port 80 via port2 to apache traffic server.
2) Policy routes in place redirecting all answers from ISPs (from source port 80) via port2 to apache traffic server.
When a customer access any website, those packets are being sent to the web cache. But nothing else happens (except timeout).
My modules:
lsmod
Module Size Used by
nf_nat 25891 2 ipt_REDIRECT,iptable_nat
nf_conntrack_ipv4 19716 3 iptable_nat,nf_nat
nf_conntrack 81926 3 iptable_nat,nf_nat,nf_conntrack_ipv4
iptable_filter 12810 0
xt_tcpudp 12603 1
xt_TPROXY 12853 0
nf_tproxy_core 12610 1 xt_TPROXY,[permanent]
xt_socket 12715 0
nf_defrag_ipv4 12729 3 nf_conntrack_ipv4,xt_TPROXY,xt_socket
ip6_tables 27864 2 xt_TPROXY,xt_socket
nf_defrag_ipv6 13368 2 xt_TPROXY,xt_socket
xt_mark 12563 2
iptable_mangle 12734 1
ip_tables 27473 3 iptable_nat,iptable_filter,iptable_mangle
x_tables 29846 10 ipt_REDIRECT,iptable_nat,iptable_filter,xt_tcpudp,xt_TPROXY,xt_socket,ip6_tables,xt_mark,iptable_mangle,ip_tables
btrfs 652957 0
Linux options:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp
Iptables Rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8080
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
Apache traffic server debug when trying to access www.inter.com.ve:
tcpdump -ni eth2 host 200.8.57.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
03:48:27.880413 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903707860 ecr 0,sackOK,eol], length 0
03:48:28.882079 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903708860 ecr 0,sackOK,eol], length 0
03:48:29.885816 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903709861 ecr 0,sackOK,eol], length 0
03:48:30.991950 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903710959 ecr 0,sackOK,eol], length 0
03:48:32.000267 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903711960 ecr 0,sackOK,eol], length 0
03:48:33.105923 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903713058 ecr 0,sackOK,eol], length 0
03:48:35.117941 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val 903715059 ecr 0,sackOK,eol], length 0
03:48:39.638357 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,sackOK,eol], length 0
03:48:48.030197 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq 2084747082, win 65535, options [mss 1440,sackOK,eol], length 0
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel
Debug when trying:
telnet www.inter.com.ve 80
Trying 200.8.57.5...
Its not responding to syn packets, but I'm lost what I need to do to fix this.
About trafficserver, I'm using their guide http://docs.trafficserver.apache.org/en/latest/admin/transparent-proxy/route...
Any help?
Thank you
------------------------------------------------------------------------
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
participants (2)
-
Balazs Scheidler
-
Tiago