trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rebirthing <nemo...@gmail.com>
Subject Re: Problem on Transparent-Proxy Configuration
Date Tue, 24 Jan 2017 09:20:18 GMT
Thank you :).

I tried to follow your advice.

1. Changed records.config correctly. `8080:tr-full`
2. Flushed Iptables and add rules.

sudo iptables -t mangle -N DIVERT
sudo iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
sudo iptables -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port
8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
sudo iptables -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
sudo iptables -A DIVERT -j ACCEPT


*IPTABLES*
*/opt/ts/bin$ sudo iptables --list -t mangle*
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DIVERT     tcp  --  anywhere             anywhere             socket
TPROXY     tcp  --  anywhere             anywhere             tcp dpt:http
TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain DIVERT (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK set 0x1
ACCEPT     all  --  anywhere             anywhere


sudo ip rule add fwmark 1 lookup 100


*/opt/ts/bin$ ip rule show*
0:    from all lookup local
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default


can't ping outside from intranet client.

Did I follow the steps correctly?



Best Regards.

Jaden.


2017-01-24 17:01 GMT+09:00 Muhammad Faisal <faisalusuf@yahoo.com>:

> Hi,
> Here is how the IP tables should be if you have compiled ATA with
> transparent proxy support:
>
> Assuming you have used port 8080 or ATS
>
> :DIVERT - [0:0]
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 8080 --on-ip
> 0.0.0.0 --tproxy-mark 0x1/0x1
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j ACCEPT
>
>
> [root <at> ats ~]# ip rule show
> 0:      from all lookup local
> 32765:  from all fwmark 0x1 lookup 100
> 32766:  from all lookup main
> 32767:  from all lookup default
>
>
> ATS config:
> ############################################################
> ##################
> # Specify server addresses and ports to bind for HTTP and HTTPS. Docs:
> #    https://docs.trafficserver.apache.org/records.config#
> proxy-config-http-server-ports
> ############################################################
> ##################
> CONFIG proxy.config.http.server_ports STRING 8080:tr-full
>
>
> Building ATS for transparency — Apache Traffic Server 4.2.3 documentation
> <https://docs.trafficserver.apache.org/en/4.2.x/admin/transparent-proxy/build.en.html>
>
> Building ATS for transparency — Apache Traffic Server 4.2.3 documentation
>
> <https://docs.trafficserver.apache.org/en/4.2.x/admin/transparent-proxy/build.en.html>
>
> Inline on a Linux router — Apache Traffic Server 5.3.2 documentation
> <https://docs.trafficserver.apache.org/en/5.3.x/admin/transparent-proxy/router-inline.en.html>
>
> Inline on a Linux router — Apache Traffic Server 5.3.2 documentation
>
> <https://docs.trafficserver.apache.org/en/5.3.x/admin/transparent-proxy/router-inline.en.html>
>
>
> Regards,
> Faisal.
>
>
> ------------------------------
> *From:* Rebirthing <nemojjh@gmail.com>
> *To:* users@trafficserver.apache.org
> *Sent:* Tuesday, January 24, 2017 12:45 PM
> *Subject:* Problem on Transparent-Proxy Configuration
>
> Hello. My name is Jaden, a developer in korea.
>
> I'm trying to configure Router-ATS Transparent Proxy.
>
> But it doesn't work and I couldn't figure out the problem.
>
> Please Help me.
>
> -Environments-
> OS : Ubuntu 16.04
> ATS Version : Latest
> Network Topology :
>  Internet ----- (ens33,  192.168.75.0/24) : ATS : (ens35, 172.16.113.0/24)
> ---- Intranet
>
> iptables setting
>
> :
> # iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
> # iptables -A FORWARD -i ens33 -o ens35 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> # iptables -A FORWARD -i ens35 -o ens33 -j ACCEPT
>
> # iptables -t mangle -A PREROUTING -i ens35 -p tcp -m tcp --dport 80 -j
> TPROXY  --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> # iptables -t mangle -A PREROUTING -i ens33 --source 192.168.75.0/24 -j
> ACCEPT
> # iptables -t mangle -A PREROUTING -i ens33 --destination 192.168.75.0/24 -j
> ACCEPT
> # iptables -t mangle -A PREROUTING -i eth33 -p tcp -m tcp --sport 80 -j
> MARK --set-mark 1/1
> # ip rule add fwmark 1/1 table 1
> # ip route add local 0.0.0.0/0 dev lo table 1
>
> I checked the packets with wireshark. Only Tcp packets didn't pass through.
>
> DNS Querying is working but TCP not.
>
> Could you help me?
>
> Thank you.
>
>
>

Mime
View raw message