trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Payne <jp557...@gmail.com>
Subject Re: transparent proxy not work, using traffic-redirect function of layer 3 switch
Date Mon, 23 Nov 2015 18:25:48 GMT
So you see the SYN from the client hit the ATS server?
But the ATS machine doesnt respond with the SYN-ACK ?

As a start and on the ATS machine can you try listening on all interfaces?

tcpdump -ni any port 80 or port 8080




On Fri, Nov 20, 2015 at 2:43 AM, Wayne Zhang <wayne.m.zhang@gmail.com>
wrote:

> I want to correct a previous mistake, Wireshark can get http SYN packets
> and retransmission on ethernet enp14s0, but no SYN ACK packets.
>
> 2015-11-19 15:12 GMT+08:00 Wayne Zhang <wayne.m.zhang@gmail.com>:
>
>> hi all,
>>
>> the ATS version is 6.0.0.
>> the layer 3 switch is a Huawei S3928TP-SI brand.
>>
>> the topology is :
>>       client PC to port 1,
>>       ATS server to  port 2,
>>       router to port 3.
>>
>> here are the main steps of configuring switch:
>>
>> #define acl 3001 to intercept 80 port traffic to internet
>> acl number 3001
>> description client traffic to ATS server
>> rule 0 permit TCP destination-port eq www
>>
>> #define acl 3011 to intercept 80 port traffic from internet
>> acl number 3011
>> description internet traffic to ATS server
>> rule 0 permit TCP source-port eq www
>>
>> #apply acl 3001 at ethernet port 1, redirect traffic to internet to port 2
>> interface Ethernet 1/0/1
>> traffic-redirect inbound ip-group 3001 interface Ethernet 1/0/2
>>
>> #apply acl 3011 at ethernet port 3, redirect the traffic from internet to
>> port 2
>> interface Ethernet 1/0/3
>> traffic-redirect inbound ip-group 3011 interface Ethernet 1/0/2
>>
>>
>> the related config values in record.config:
>>
>> proxy.config.reverse_proxy.enabled INT 1
>> proxy.config.url_remap.remap_required INT 0
>> proxy.config.http.server_ports STRING 8080:ipv4:tr-full
>>
>> my script for setting up before ATS server start:
>>
>>
>> #!/bin/sh
>> ETH0=enp14s0
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>> echo 0 > /proc/sys/net/ipv4/conf/$ETH0/rp_filter
>>
>> ip rule delete fwmark 1/1 > /dev/null 2>&1
>> ip rule add fwmark 1/1 table 1
>> ip route add local 0/0 dev lo table 1
>>
>> iptables -t mangle --flush PREROUTING
>> iptables -t mangle -A PREROUTING -i $ETH0 -p tcp -m tcp --dport 80 -j
>> TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
>> iptables -t mangle -A PREROUTING -i $ETH0 -p tcp -m tcp --sport 80 -j
>> MARK --set-mark 1/1
>>
>> iptables -t filter --flush FORWARD
>> iptables -t filter --flush INPUT
>>
>> the result:
>>      visiting websites at client browser get timeout, means that traffic
>> intercepting at switch works.
>>      the 3 processes  traffic_cop, traffic_manager and traffic_server can
>> be seen using "ps aux" on the ATS server.
>>      there is no access log print using "traffic_logcat squid.log"
>>      no http packets on ethernet enp14so or loop back can be grabbed
>> using wireshark.
>>
>> any debug advices ?
>> thanks in advance.
>>
>>
>>
>>
>>
>>
>

Mime
View raw message