trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Muhammad Faisal <faisalu...@yahoo.com>
Subject Re: Problem on Transparent-Proxy Configuration
Date Tue, 24 Jan 2017 09:36:42 GMT 
Hello,The issue is more related to IPtables not ATS apperently. I dont know excatly on your
network setup but if you have the following:
[Internet]-----eth1 192.168.1.109/24-----[ATS]--eth0-----[LAN Hosts 192.168.2.0/24]
IP forwarding should be enabled in case you want to use ATS machine as you internet GW as
well inline deployment then you would need to setup the NAT correctly first and later configure
for Tproxying:
echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables --flushiptables --table nat --flushiptables --delete-chainiptables --table nat --delete-chainiptables
-t nat -A POSTROUTING -s 192.168.2.0/24 -o eth1 -j SNAT --to 192.168.1.109iptables -A FORWARD
-i eth0 -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED
-j ACCEPTiptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPTiptables
-A FORWARD -i eth0 -o eth1 -j ACCEPT
adjust according to your setup and verify the nat is working correctly. Better do google as
this list is primarily for ATS related questions. Regards, Faisal.

 
      From: Rebirthing <nemojjh@gmail.com>
 To: users@trafficserver.apache.org; Muhammad Faisal <faisalusuf@yahoo.com> 
 Sent: Tuesday, January 24, 2017 2:20 PM
 Subject: Re: Problem on Transparent-Proxy Configuration
   
Thank you :).
I tried to follow your advice.
1. Changed records.config correctly. `8080:tr-full`2. Flushed Iptables and add rules.
sudo iptables -t mangle -N DIVERTsudo iptables -t mangle -A PREROUTING -p tcp -m socket -j
DIVERT sudo iptables -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 8080 --on-ip
0.0.0.0 --tproxy-mark 0x1/0x1 sudo iptables -A DIVERT -j MARK --set-xmark 0x1/0xffffffff sudo
iptables -A DIVERT -j ACCEPT 

IPTABLES/opt/ts/bin$ sudo iptables --list -t mangleChain PREROUTING (policy ACCEPT)target
    prot opt source               destination         DIVERT     tcp  --
 anywhere             anywhere             socketTPROXY     tcp  --  anywhere
            anywhere             tcp dpt:http TPROXY redirect 0.0.0.0:8080 mark
0x1/0x1
Chain INPUT (policy ACCEPT)target     prot opt source               destination  
      
Chain FORWARD (policy ACCEPT)target     prot opt source               destination
        
Chain OUTPUT (policy ACCEPT)target     prot opt source               destination
        
Chain POSTROUTING (policy ACCEPT)target     prot opt source               destination
        
Chain DIVERT (1 references)target     prot opt source               destination  
      MARK       all  --  anywhere             anywhere             MARK
set 0x1ACCEPT     all  --  anywhere             anywhere            

sudo ip rule add fwmark 1 lookup 100

/opt/ts/bin$ ip rule show0:    from all lookup local 32765: from all fwmark 0x1 lookup
100 32766: from all lookup main 32767: from all lookup default 

can't ping outside from intranet client.
Did I follow the steps correctly?


Best Regards.
Jaden.

2017-01-24 17:01 GMT+09:00 Muhammad Faisal <faisalusuf@yahoo.com>:

Hi,Here is how the IP tables should be if you have compiled ATA with transparent proxy support:
Assuming you have used port 8080 or ATS
:DIVERT - [0:0] -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp --dport
80 -j TPROXY --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A DIVERT -j MARK --set-xmark
0x1/0xffffffff -A DIVERT -j ACCEPT 

[root <at> ats ~]# ip rule show0:      from all lookup local32765:  from all fwmark
0x1 lookup 10032766:  from all lookup main32767:  from all lookup default 
ATS config:############################## ############################## ###################
Specify server addresses and ports to bind for HTTP and HTTPS. Docs:#    https://docs.trafficserver.
apache.org/records.config# proxy-config-http-server-ports############################## ##############################
##################CONFIG proxy.config.http.server_ports STRING 8080:tr-full

Building ATS for transparency — Apache Traffic Server 4.2.3 documentation

  
|  
|   |  
Building ATS for transparency — Apache Traffic Server 4.2.3 documentation
   |  |

  |

 
Inline on a Linux router — Apache Traffic Server 5.3.2 documentation

  
|  
|   |  
Inline on a Linux router — Apache Traffic Server 5.3.2 documentation
   |  |

  |

 

Regards, Faisal.

 
      From: Rebirthing <nemojjh@gmail.com>
 To: users@trafficserver.apache.org 
 Sent: Tuesday, January 24, 2017 12:45 PM
 Subject: Problem on Transparent-Proxy Configuration
  
Hello. My name is Jaden, a developer in korea.
I'm trying to configure Router-ATS Transparent Proxy.
But it doesn't work and I couldn't figure out the problem.
Please Help me.
-Environments-OS : Ubuntu 16.04ATS Version : LatestNetwork Topology : Internet ----- (ens33,  192.168.75.0/24)
: ATS : (ens35, 172.16.113.0/24) ---- Intranet
iptables setting
:# iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE# iptables -A FORWARD -i ens33 -o
ens35 -m state --state RELATED,ESTABLISHED -j ACCEPT# iptables -A FORWARD -i ens35 -o ens33
-j ACCEPT
# iptables -t mangle -A PREROUTING -i ens35 -p tcp -m tcp --dport 80 -j TPROXY  --on-ip 0.0.0.0
--on-port 8080 --tproxy-mark 1/1# iptables -t mangle -A PREROUTING -i ens33 --source 192.168.75.0/24 -j
ACCEPT# iptables -t mangle -A PREROUTING -i ens33 --destination 192.168.75.0/24  -j ACCEPT#
iptables -t mangle -A PREROUTING -i eth33 -p tcp -m tcp --sport 80 -j MARK --set-mark 1/1#
ip rule add fwmark 1/1 table 1# ip route add local 0.0.0.0/0 dev lo table 1
I checked the packets with wireshark. Only Tcp packets didn't pass through.
DNS Querying is working but TCP not.
Could you help me?
Thank you.
Mime
View raw message