trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Carroll <>
Subject Re: Setting up Transparent Proxy
Date Mon, 25 Jan 2016 19:06:41 GMT
Two recommendations:
What is the output of

ip route show table 100
Also you should look at the iptable rule counts to see if those rules are being hit at all.

    On Monday, January 25, 2016 12:50 PM, Muhammad Faisal <> wrote:

 When i flush ebtables the http browsing starts via bridge. But when i put the below rules
browsing stops:
 ebtables -t broute -A BROUTING -i em2 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target
 ebtables -t broute -A BROUTING -i em1 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target
 I ties logging both rules can see packets are being processed but iptables rules logs are
empty. Any clue i have upgraded the kernel to 4.4 even still same situation.
 On 1/25/2016 11:12 PM, Muhammad Faisal wrote:
Hi Alan,
 Thanks for your response. I went through your presentation (youtube video + Slides) indeed
before starting configuration. It enhanced my understanding of ATS. However i found another
straight forward step by step process at this location which i followed:
 When i remove ebtables rules the http browsing starts. Any suggestions?
 The output of traffic.out has nothing special seems no traffic is processed by ATS (using
latest stable release 6.0). Please see below
 raffic_server: using root directory '/usr/local'
 /usr/local/bin/trafficserver restart
 [traffic_server: Terminated (Signal sent by kill() 4771 0)TrafficManager] ==> Cleaning
up and reissuing signal #15
 [E. Mgmt] log ==> [TrafficManager] using root directory '/usr/local'
 traffic_server: using root directory '/usr/local'
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.br0.rp_filter = 0

IPTABLES Rules in your apachecon ppt:
iptables -t mangle -A PREROUTING -i em2 -p tcp -m tcp --dport 80 -j TPROXY --on-ip
--on-port 8080 --tproxy-mark 0x1/0x1
iptables -t mangle -A PREROUTING -i em1 -p tcp -m tcp --sport 80 -j MARK --set-mark 0x1/0x1
 This is what i have applied on the server:
 iptables -t mangle -N DIVERT
 iptables -t mangle -A DIVERT -j LOG --log-prefix ' Towards_ATS ' --log-level 7
 iptables -t mangle -A DIVERT -j MARK --set-mark 1
 iptables -t mangle -A DIVERT -j ACCEPT
 iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
 iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port
 On 1/25/2016 8:55 PM, Alan Carroll wrote:
 You configuration to enable debugging is correct but there is no point in adding it to traffic_logstat,
it will have no effect. The debug output should be placed in the var/log/trafficserver/traffic.out

I need to check my notes (it's been a while since I worked with this) but I think you iptables
rules should be interface dependent (as with ebtables) to allow packets to escape after going
through ATS. I also don't recall using divert.

Did you set the /etc/sysctl.conf value?

You might find this interesting - - it's a presentation on transparent

View raw message