Hello,The issue is more related to IPtables not ATS apperently. I dont know excatly on your
network setup but if you have the following:
[Internet]-----eth1 192.168.1.109/24-----[ATS]--eth0-----[LAN Hosts 192.168.2.0/24]
IP forwarding should be enabled in case you want to use ATS machine as you internet GW as
well inline deployment then you would need to setup the NAT correctly first and later configure
for Tproxying:
echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables --flushiptables --table nat --flushiptables --delete-chainiptables --table nat --delete-chainiptables
-t nat -A POSTROUTING -s 192.168.2.0/24 -o eth1 -j SNAT --to 192.168.1.109iptables -A FORWARD
-i eth0 -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED
-j ACCEPTiptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPTiptables
-A FORWARD -i eth0 -o eth1 -j ACCEPT
adjust according to your setup and verify the nat is working correctly. Better do google as
this list is primarily for ATS related questions. Regards, Faisal.
From: Rebirthing <nemojjh@gmail.com>
To: users@trafficserver.apache.org; Muhammad Faisal <faisalusuf@yahoo.com>
Sent: Tuesday, January 24, 2017 2:20 PM
Subject: Re: Problem on Transparent-Proxy Configuration
Thank you :).
I tried to follow your advice.
1. Changed records.config correctly. `8080:tr-full`2. Flushed Iptables and add rules.
sudo iptables -t mangle -N DIVERTsudo iptables -t mangle -A PREROUTING -p tcp -m socket -j
DIVERT sudo iptables -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 8080 --on-ip
0.0.0.0 --tproxy-mark 0x1/0x1 sudo iptables -A DIVERT -j MARK --set-xmark 0x1/0xffffffff sudo
iptables -A DIVERT -j ACCEPT
IPTABLES/opt/ts/bin$ sudo iptables --list -t mangleChain PREROUTING (policy ACCEPT)target
prot opt source destination DIVERT tcp --
anywhere anywhere socketTPROXY tcp -- anywhere
anywhere tcp dpt:http TPROXY redirect 0.0.0.0:8080 mark
0x1/0x1
Chain INPUT (policy ACCEPT)target prot opt source destination
Chain FORWARD (policy ACCEPT)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination
Chain POSTROUTING (policy ACCEPT)target prot opt source destination
Chain DIVERT (1 references)target prot opt source destination
MARK all -- anywhere anywhere MARK
set 0x1ACCEPT all -- anywhere anywhere
sudo ip rule add fwmark 1 lookup 100
/opt/ts/bin$ ip rule show0: from all lookup local 32765: from all fwmark 0x1 lookup
100 32766: from all lookup main 32767: from all lookup default
can't ping outside from intranet client.
Did I follow the steps correctly?
Best Regards.
Jaden.
2017-01-24 17:01 GMT+09:00 Muhammad Faisal <faisalusuf@yahoo.com>:
Hi,Here is how the IP tables should be if you have compiled ATA with transparent proxy support:
Assuming you have used port 8080 or ATS
:DIVERT - [0:0] -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp --dport
80 -j TPROXY --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A DIVERT -j MARK --set-xmark
0x1/0xffffffff -A DIVERT -j ACCEPT
[root <at> ats ~]# ip rule show0: from all lookup local32765: from all fwmark
0x1 lookup 10032766: from all lookup main32767: from all lookup default
ATS config:############################## ############################## ###################
Specify server addresses and ports to bind for HTTP and HTTPS. Docs:# https://docs.trafficserver.
apache.org/records.config# proxy-config-http-server-ports############################## ##############################
##################CONFIG proxy.config.http.server_ports STRING 8080:tr-full
Building ATS for transparency — Apache Traffic Server 4.2.3 documentation
|
| |
Building ATS for transparency — Apache Traffic Server 4.2.3 documentation
| |
|
Inline on a Linux router — Apache Traffic Server 5.3.2 documentation
|
| |
Inline on a Linux router — Apache Traffic Server 5.3.2 documentation
| |
|
Regards, Faisal.
From: Rebirthing <nemojjh@gmail.com>
To: users@trafficserver.apache.org
Sent: Tuesday, January 24, 2017 12:45 PM
Subject: Problem on Transparent-Proxy Configuration
Hello. My name is Jaden, a developer in korea.
I'm trying to configure Router-ATS Transparent Proxy.
But it doesn't work and I couldn't figure out the problem.
Please Help me.
-Environments-OS : Ubuntu 16.04ATS Version : LatestNetwork Topology : Internet ----- (ens33, 192.168.75.0/24)
: ATS : (ens35, 172.16.113.0/24) ---- Intranet
iptables setting
:# iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE# iptables -A FORWARD -i ens33 -o
ens35 -m state --state RELATED,ESTABLISHED -j ACCEPT# iptables -A FORWARD -i ens35 -o ens33
-j ACCEPT
# iptables -t mangle -A PREROUTING -i ens35 -p tcp -m tcp --dport 80 -j TPROXY --on-ip 0.0.0.0
--on-port 8080 --tproxy-mark 1/1# iptables -t mangle -A PREROUTING -i ens33 --source 192.168.75.0/24 -j
ACCEPT# iptables -t mangle -A PREROUTING -i ens33 --destination 192.168.75.0/24 -j ACCEPT#
iptables -t mangle -A PREROUTING -i eth33 -p tcp -m tcp --sport 80 -j MARK --set-mark 1/1#
ip rule add fwmark 1/1 table 1# ip route add local 0.0.0.0/0 dev lo table 1
I checked the packets with wireshark. Only Tcp packets didn't pass through.
DNS Querying is working but TCP not.
Could you help me?
Thank you.
|