[tproxy] need help with haproxy routing rules
Jeffrey 'jf' Lim
jfs.world at gmail.com
Mon Jun 30 13:19:46 CEST 2008
hi, folks, I've been scratching my head over this, and need your help with
this.
I've got haproxy compiled with tproxy support, and it's working fine with
regards to point no. 3 ("Initiating connections with a foreign address as a
source") - I've got it binding and connecting properly, and it's able to
send out packets using a foreign address. Problem now is, when the reply
packet comes back, haproxy cant seem to be able to detect it?
The route rules in the readme are tuned for a full transparent proxy,
listening on another port other than the port of the traffic you want to
transparently listen to, which is fine for squid - but this is not what I'm
looking for.
As far as i've figured, the following rules should work, but dont somehow:
======
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
iptables -t mangle -A DIVERT -j ACCEPT
=====
The rule
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
<proxyport> --tproxy-mark 0x1/0x1
isn't applicable here, because haproxy IS supposed to be "non-transparent"
at the client end - it IS supposed to listen in directly on the ip and port
for web traffic - that's the point of a load balancer, so... Could somebody
perhaps tell me what i need to complete the setup, and get the packets to be
forwarded to haproxy?
thanks,
-jf
--
In the meantime, here is your PSA:
"It's so hard to write a graphics driver that open-sourcing it would not
help."
-- Andrew Fear, Software Product Manager, NVIDIA Corporation
http://kerneltrap.org/node/7228
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20080630/8cc9fc13/attachment.htm
More information about the tproxy
mailing list