[tproxy] tproxy ubuntu 12.04 and apache trafficserver help

Tiago sytker at gmail.com
Tue May 20 18:11:00 CEST 2014 

Hello,

Usage: Apache Trafficserver (web cache) fully transparent using tproxy

OS: Ubuntu 12.04


I’m trying to setup this:

My Router / firewall which has:

- port 23 (customer network, which has gateway x.x.x.x)

- port2 (traffic server cache, which has IP y.y.y.y and bound to 8080 port).

PS: The web cache has only one ethernet interface (eth2).

- ISPs (internet links) connected to the router.


My router has:

1) Policy routes in place redirecting all requests from customer network
with destination port 80 via port2 to apache traffic server.

2) Policy routes in place redirecting all answers from ISPs (from source
port 80) via port2 to apache traffic server.

When a customer access any website, those packets are being sent to the web
cache. But nothing else happens (except timeout).

My modules:

lsmod

Module                  Size    Used by

nf_nat                 25891  2 ipt_REDIRECT,iptable_nat

nf_conntrack_ipv4      19716  3 iptable_nat,nf_nat

nf_conntrack           81926  3 iptable_nat,nf_nat,nf_conntrack_ipv4

iptable_filter         12810  0

xt_tcpudp              12603  1

xt_TPROXY              12853  0

nf_tproxy_core         12610  1 xt_TPROXY,[permanent]

xt_socket              12715  0

nf_defrag_ipv4         12729  3 nf_conntrack_ipv4,xt_TPROXY,xt_socket

ip6_tables             27864  2 xt_TPROXY,xt_socket

nf_defrag_ipv6         13368  2 xt_TPROXY,xt_socket

xt_mark                12563  2

iptable_mangle         12734  1

ip_tables              27473  3 iptable_nat,iptable_filter,iptable_mangle

x_tables               29846  10
ipt_REDIRECT,iptable_nat,iptable_filter,xt_tcpudp,xt_TPROXY,xt_socket,ip6_tables,xt_mark,iptable_mangle,ip_tables

btrfs                 652957  0


Linux options:

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter

echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp


Iptables Rules:

iptables -t mangle -N DIVERT

iptables -t mangle -A DIVERT -j MARK --set-mark 1

iptables -t mangle -A DIVERT -j ACCEPT

iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 8080

ip rule add fwmark 1 lookup 100

ip route add local 0.0.0.0/0 dev lo table 100


Apache traffic server debug when trying to access www.inter.com.ve:

tcpdump -ni eth2 host 200.8.57.5

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes

03:48:27.880413 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
903707860 ecr 0,sackOK,eol], length 0

03:48:28.882079 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
903708860 ecr 0,sackOK,eol], length 0

03:48:29.885816 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
903709861 ecr 0,sackOK,eol], length 0

03:48:30.991950 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
903710959 ecr 0,sackOK,eol], length 0

03:48:32.000267 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
903711960 ecr 0,sackOK,eol], length 0

03:48:33.105923 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
903713058 ecr 0,sackOK,eol], length 0

03:48:35.117941 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
903715059 ecr 0,sackOK,eol], length 0

03:48:39.638357 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
2084747082, win 65535, options [mss 1440,sackOK,eol], length 0

03:48:48.030197 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
2084747082, win 65535, options [mss 1440,sackOK,eol], length 0

^C

9 packets captured

9 packets received by filter

0 packets dropped by kernel

Debug when trying:

telnet www.inter.com.ve 80

Trying 200.8.57.5...

Its not responding to syn packets, but I'm lost what I need to do to fix
this.

About trafficserver, I'm using their guide
http://docs.trafficserver.apache.org/en/latest/admin/transparent-proxy/router-inline.en.html

Any help?

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20140520/b050063d/attachment.htm

More information about the tproxy mailing list