[tproxy] tproxy ubuntu 12.04 and apache trafficserver help

Balazs Scheidler bazsi at balabit.hu
Tue May 20 23:52:59 CEST 2014 

Check that the userspace application enables IP_TRANSPARENT on the listening socket. You can do that via strace.

Tproxy will only match listener sockets with that flag set.
-- 
Bazsi

On May 20, 2014 6:11:00 PM CEST, Tiago <sytker at gmail.com> wrote:
>Hello,
>
>Usage: Apache Trafficserver (web cache) fully transparent using tproxy
>
>OS: Ubuntu 12.04
>
>
>I’m trying to setup this:
>
>My Router / firewall which has:
>
>- port 23 (customer network, which has gateway x.x.x.x)
>
>- port2 (traffic server cache, which has IP y.y.y.y and bound to 8080
>port).
>
>PS: The web cache has only one ethernet interface (eth2).
>
>- ISPs (internet links) connected to the router.
>
>
>My router has:
>
>1) Policy routes in place redirecting all requests from customer
>network
>with destination port 80 via port2 to apache traffic server.
>
>2) Policy routes in place redirecting all answers from ISPs (from
>source
>port 80) via port2 to apache traffic server.
>
>When a customer access any website, those packets are being sent to the
>web
>cache. But nothing else happens (except timeout).
>
>My modules:
>
>lsmod
>
>Module                  Size    Used by
>
>nf_nat                 25891  2 ipt_REDIRECT,iptable_nat
>
>nf_conntrack_ipv4      19716  3 iptable_nat,nf_nat
>
>nf_conntrack           81926  3 iptable_nat,nf_nat,nf_conntrack_ipv4
>
>iptable_filter         12810  0
>
>xt_tcpudp              12603  1
>
>xt_TPROXY              12853  0
>
>nf_tproxy_core         12610  1 xt_TPROXY,[permanent]
>
>xt_socket              12715  0
>
>nf_defrag_ipv4         12729  3 nf_conntrack_ipv4,xt_TPROXY,xt_socket
>
>ip6_tables             27864  2 xt_TPROXY,xt_socket
>
>nf_defrag_ipv6         13368  2 xt_TPROXY,xt_socket
>
>xt_mark                12563  2
>
>iptable_mangle         12734  1
>
>ip_tables              27473  3
>iptable_nat,iptable_filter,iptable_mangle
>
>x_tables               29846  10
>ipt_REDIRECT,iptable_nat,iptable_filter,xt_tcpudp,xt_TPROXY,xt_socket,ip6_tables,xt_mark,iptable_mangle,ip_tables
>
>btrfs                 652957  0
>
>
>Linux options:
>
>echo 1 > /proc/sys/net/ipv4/ip_forward
>
>echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
>
>echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
>
>echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter
>
>echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp
>
>
>Iptables Rules:
>
>iptables -t mangle -N DIVERT
>
>iptables -t mangle -A DIVERT -j MARK --set-mark 1
>
>iptables -t mangle -A DIVERT -j ACCEPT
>
>iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
>iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>--tproxy-mark
>0x1/0x1 --on-port 8080
>
>ip rule add fwmark 1 lookup 100
>
>ip route add local 0.0.0.0/0 dev lo table 100
>
>
>Apache traffic server debug when trying to access www.inter.com.ve:
>
>tcpdump -ni eth2 host 200.8.57.5
>
>tcpdump: verbose output suppressed, use -v or -vv for full protocol
>decode
>
>listening on eth2, link-type EN10MB (Ethernet), capture size 65535
>bytes
>
>03:48:27.880413 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
>2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
>903707860 ecr 0,sackOK,eol], length 0
>
>03:48:28.882079 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
>2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
>903708860 ecr 0,sackOK,eol], length 0
>
>03:48:29.885816 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
>2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
>903709861 ecr 0,sackOK,eol], length 0
>
>03:48:30.991950 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
>2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
>903710959 ecr 0,sackOK,eol], length 0
>
>03:48:32.000267 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
>2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
>903711960 ecr 0,sackOK,eol], length 0
>
>03:48:33.105923 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
>2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
>903713058 ecr 0,sackOK,eol], length 0
>
>03:48:35.117941 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
>2084747082, win 65535, options [mss 1440,nop,wscale 4,nop,nop,TS val
>903715059 ecr 0,sackOK,eol], length 0
>
>03:48:39.638357 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
>2084747082, win 65535, options [mss 1440,sackOK,eol], length 0
>
>03:48:48.030197 IP x.x.x.5.53663 > 200.8.57.5.80: Flags [S], seq
>2084747082, win 65535, options [mss 1440,sackOK,eol], length 0
>
>^C
>
>9 packets captured
>
>9 packets received by filter
>
>0 packets dropped by kernel
>
>Debug when trying:
>
>telnet www.inter.com.ve 80
>
>Trying 200.8.57.5...
>
>Its not responding to syn packets, but I'm lost what I need to do to
>fix
>this.
>
>About trafficserver, I'm using their guide
>http://docs.trafficserver.apache.org/en/latest/admin/transparent-proxy/router-inline.en.html
>
>Any help?
>
>Thank you
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>tproxy mailing list
>tproxy at lists.balabit.hu
>https://lists.balabit.hu/mailman/listinfo/tproxy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20140520/0d46155f/attachment-0001.htm

More information about the tproxy mailing list