trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Strongman <jasonstrongman2...@gmail.com>
Subject Transparent Proxy + Linux Router Policy Routing
Date Wed, 19 Aug 2015 20:33:01 GMT
I am having an issue with transparent proxying when I am routing port
80 traffic at my LAN router. If I just route a target web server's
host/network to my ATS proxy, things work as expected.


#BROKEN CONFIGURATION

# RULES DEFINED AT LINUX LAN ROUTER
iptables -t mangle -i eth0 -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
ip rule add fwmark 3 table 2
ip route add default via 10.1.10.2 dev eth1 table 2


# RULES DEFINED AT ATS HOST
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 3
ip rule add fwmark 3 table 1
ip route add local 0.0.0.0/0 dev lo table 1


When I run tcpdump on the LAN Router, I see the syn-ack in the form of
the origin's IP address being returned by the ATS server. This is
expected.
However, the syn-ack doesnt make it beyond eth1 of the LAN router.
Packet gets dropped..  Maybe the marking set at the ATS server is
causing the LAN router to drop the packet.




#WORKING CONFIGURATION

# RULES DEFINED AT LINUX LAN ROUTER
i
ip route add 172.16.20.0/24 via 10.1.10.2


# RULES DEFINED AT ATS HOST

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 3
ip rule add fwmark 3 table 1
ip route add local 0.0.0.0/0 dev lo table 1


This configuration works.. But this means, if I have other traffic
types destined for this routed  host/network the ATS host will have to
just
pass it along. This isnt ideal. I just want port 80 traffic routed to
the ATS host.

Please advise.

Thanks!

Mime
View raw message