trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Muhammad Faisal <faisalu...@yahoo.com>
Subject Re: Setting up Transparent Proxy
Date Tue, 26 Jan 2016 06:18:36 GMT
*Hi Alan,*
The output is as follows:

[root@ATS ~]# ip route show table 100
local default dev lo  scope host


*IPtables rules showing increasing packet counts:*

# Generated by iptables-save v1.4.7 on Tue Jan 26 11:09:34 2016
*mangle
:PREROUTING ACCEPT[1601:195856]
:INPUT ACCEPT [1853:208672]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1588:275561]
:POSTROUTING ACCEPT [1588:275561]
:DIVERT - [0:0]
[1853:208672] -A PREROUTING -j LOG --log-prefix " Towards_ATS " 
--log-level 7
[252:12816] -A PREROUTING -i em2 -p tcp -m tcp --dport 80 -j TPROXY 
--on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
[712:36656] -A PREROUTING -i em1 -p tcp -m tcp --sport 80 -j MARK 
--set-xmark 0x1/0x1
COMMIT
# Completed on Tue Jan 26 11:09:34 2016
[root@wc01 ~]# iptables-save -c
# Generated by iptables-save v1.4.7 on Tue Jan 26 11:09:35 2016
*mangle
:PREROUTING ACCEPT [1618:196819]
:INPUT ACCEPT[1873:209787]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1604:277388]
:POSTROUTING ACCEPT [1604:277388]
:DIVERT - [0:0]
[1873:209787] -A PREROUTING -j LOG --log-prefix " Towards_ATS " 
--log-level 7
[255:12968] -A PREROUTING -i em2 -p tcp -m tcp --dport 80 -j TPROXY 
--on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
[722:37168] -A PREROUTING -i em1 -p tcp -m tcp --sport 80 -j MARK 
--set-xmark 0x1/0x1
COMMIT
# Completed on Tue Jan 26 11:09:35 2016


On 1/26/2016 12:06 AM, Alan Carroll wrote:
> Two recommendations:
>
> What is the output of
>
> ip route show table 100
>
> Also you should look at the iptable rule counts to see if those rules 
> are being hit at all.
>
>
> On Monday, January 25, 2016 12:50 PM, Muhammad Faisal 
> <faisalusuf@yahoo.com> wrote:
>
>
> *Update:*
> When i flush ebtables the http browsing starts via bridge. But when i 
> put the below rules browsing stops:
>
> ebtables -t broute -A BROUTING -i em2 -p ipv4 --ip-proto tcp 
> --ip-dport 80 -j redirect --redirect-target DROP
> ebtables -t broute -A BROUTING -i em1 -p ipv4 --ip-proto tcp 
> --ip-sport 80 -j redirect --redirect-target DROP
>
> I ties logging both rules can see packets are being processed but 
> iptables rules logs are empty. Any clue i have upgraded the kernel to 
> 4.4 even still same situation.
>
> Thanks
>
> On 1/25/2016 11:12 PM, Muhammad Faisal wrote:
> *Hi Alan,*
> Thanks for your response. I went through your presentation (youtube 
> video + Slides) indeed before starting configuration. It enhanced my 
> understanding of ATS. However i found another straight forward step by 
> step process at this location which i followed: 
> http://apache-traffic-server.24303.n7.nabble.com/attachment/1638/0/ATS%20on%20Centos.txt
>
> When i remove ebtables rules the http browsing starts. Any suggestions?
>
> The output of traffic.out has nothing special seems no traffic is 
> processed by ATS (using latest stable release 6.0). Please see below
>
> *traffic.out *
> raffic_server: using root directory '/usr/local'
> /usr/local/bin/trafficserver restart
> [traffic_server: Terminated (Signal sent by kill() 4771 
> 0)TrafficManager] ==> Cleaning up and reissuing signal #15
> [E. Mgmt] log ==> [TrafficManager] using root directory '/usr/local'
> traffic_server: using root directory '/usr/local'
>
>
> */etc/sysctl.conf*
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.all.rp_filter = 0
> net.ipv4.conf.eth0.rp_filter = 0
> net.ipv4.conf.eth1.rp_filter = 0
> net.ipv4.conf.br0.rp_filter = 0
> *IPTABLES Rules in your apachecon ppt:*
> iptables -t mangle -A PREROUTING -i em2 -p tcp -m tcp --dport 80 -j TPROXY --on-ip 0.0.0.0
--on-port 8080 --tproxy-mark 0x1/0x1
> iptables -t mangle -A PREROUTING -i em1 -p tcp -m tcp --sport 80 -j MARK --set-mark 0x1/0x1
> *This is what i have applied on the server:*
> ============================================
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j LOG --log-prefix ' Towards_ATS ' 
> --log-level 7
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY 
> --tproxy-mark 0x1/0x1 --on-port 8080
> ===========================================
>
>
>
> On 1/25/2016 8:55 PM, Alan Carroll wrote:
>> You configuration to enable debugging is correct but there is no point in adding
it to traffic_logstat, it will have no effect. The debug output should be placed in the var/log/trafficserver/traffic.out
file.
>>
>> I need to check my notes (it's been a while since I worked with this) but I think
you iptables rules should be interface dependent (as with ebtables) to allow packets to escape
after going through ATS. I also don't recall using divert.
>>
>>
>> Did you set the /etc/sysctl.conf value?
>>
>> You might find this interesting -
>> https://www.dropbox.com/sh/h7erczfbt8ug8kn/cMyk4ukVSg?m  - it's a presentation on
transparent proxy.
>
>
>
>


Mime
View raw message