You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Saraswathi Venkataraman <sa...@Xoriant.Com> on 2012/06/05 17:46:25 UTC
RE: Configuring traffic server on transparent proxy mode.
This is the ifconfig for our machine. We are trying to configure tproxy again on our machine.
eth0 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DC
inet addr:192.168.115.100 Bcast:192.168.115.255 Mask:255.255.255.0
inet6 addr: fe80::2e76:8aff:fe53:c8dc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16125 errors:0 dropped:0 overruns:0 frame:0
TX packets:7367 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1700374 (1.6 MiB) TX bytes:4829093 (4.6 MiB)
Interrupt:32
eth1 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DD
inet6 addr: fe80::2e76:8aff:fe53:c8dd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2280896 errors:0 dropped:0 overruns:0 frame:0
TX packets:12838 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:187005928 (178.3 MiB) TX bytes:1389503 (1.3 MiB)
Interrupt:36
eth1.796 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DD
inet addr:10.60.255.254 Bcast:10.60.255.255 Mask:255.255.0.0
inet6 addr: fe80::2e76:8aff:fe53:c8dd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2271924 errors:0 dropped:0 overruns:0 frame:0
TX packets:12808 errors:0 dropped:6 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:136291894 (129.9 MiB) TX bytes:1278148 (1.2 MiB)
eth1.798 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DD
inet addr:10.61.255.254 Bcast:10.61.255.255 Mask:255.255.0.0
inet6 addr: fe80::2e76:8aff:fe53:c8dd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:275 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14906 (14.5 KiB) TX bytes:2493 (2.4 KiB)
eth2 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DE
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:32
eth3 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DF
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:36
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:49707 errors:0 dropped:0 overruns:0 frame:0
TX packets:49707 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11216523 (10.6 MiB) TX bytes:11216523 (10.6 MiB)
Output of ip rule list is:
0: from all lookup local
32756: from all fwmark 0x1 lookup 100
32757: from all fwmark 0x1 iif eth2 lookup 100
32758: from all fwmark 0x1/0x1 lookup 1
32759: from all fwmark 0x1 lookup 1
32760: from all fwmark 0x1 iif eth3 lookup 100
32764: from all fwmark 0x1 iif eth0 lookup 100
32765: from all fwmark 0x1 iif eth1 lookup 100
32766: from all lookup main
32767: from all lookup default
And iptables -t mangle --list is:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DIVERT tcp -- anywhere anywhere socket
TPROXY tcp -- anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain DIVERT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
ACCEPT all -- anywhere anywhere
Is there anything wrong with this?
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Thursday, May 24, 2012 6:59 PM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
That's all I have in my iptables on my test box and it works in forward transparent mode.
Thursday, May 24, 2012, 7:00:16 AM, you wrote:
> What exactly should I follow?
> Just these two will do?
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY \
> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 80 -j MARK --set-mark 1/1
Re: Configuring traffic server on transparent proxy mode.
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
The iptables rules must be interface specific. The dpt:80 rule must apply only to packets arriving on the client side interface, and the spt:80 must apply only to packets arriving on the origin side interface.
Thursday, June 7, 2012, 10:14:13 AM, you wrote:
> I flushed the iptables. This is what I have added to my iptables. I have the eth1 interface of TS1 to the client and eth2 to the webserver routed as default gateway.
> Table: mangle
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK or 0x1
> 2 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
I flushed the iptables. This is what I have added to my iptables. I have the eth1 interface of TS1 to the client and eth2 to the webserver routed as default gateway.
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK or 0x1
2 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
------------------------------
This is the result of ip rule list
0: from all lookup local
32765: from all fwmark 0x1/0x1 lookup 1
32766: from all lookup main
32767: from all lookup default
ip route show table 1
local default dev lo scope host
What else must I do. The packets are coming in, and getting routed directly to the webserver and getting the response. It is not going through trafficserver at all. Am I missing some iptable routing?
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Saraswathi Venkataraman [mailto:saraswathi.venkataraman@Xoriant.Com]
Sent: Thursday, June 07, 2012 8:03 PM
To: users@trafficserver.apache.org
Subject: RE: Configuring traffic server on transparent proxy mode.
The packets are still not getting forwarded to the ATS port. It directly gets the response from the server now today. Somehow the packets are not getting intercepted to ATS. I have the same iprules routes and iptables as below. Anything I am missing.
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Thursday, June 07, 2012 8:31 AM
To: users@trafficserver.apache.org
Subject: Re: Configuring traffic server on transparent proxy mode.
Could you provide some information about what the end result you are looking for? E.g. where are the clients, where are the origin servers / internet, which network paths should be transparent?
Unfortunately I am on vacation this week and so will not be particularly responsive.
My first comment would be that I have had not much success with using "socket" in my iptables rules. I think --sport 80 is better. One problem is that SYN/ACK may not be considered on a socket because it has not yet been established.
You seem to have a lot of rules in your ip rule list - why check for the all the interfaces if you are also just checking on the firewall mark?
Tuesday, June 5, 2012, 10:46:25 AM, you wrote:
> This is the ifconfig for our machine. We are trying to configure tproxy again on our machine.
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
The packets are still not getting forwarded to the ATS port. It directly gets the response from the server now today. Somehow the packets are not getting intercepted to ATS. I have the same iprules routes and iptables as below. Anything I am missing.
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Thursday, June 07, 2012 8:31 AM
To: users@trafficserver.apache.org
Subject: Re: Configuring traffic server on transparent proxy mode.
Could you provide some information about what the end result you are looking for? E.g. where are the clients, where are the origin servers / internet, which network paths should be transparent?
Unfortunately I am on vacation this week and so will not be particularly responsive.
My first comment would be that I have had not much success with using "socket" in my iptables rules. I think --sport 80 is better. One problem is that SYN/ACK may not be considered on a socket because it has not yet been established.
You seem to have a lot of rules in your ip rule list - why check for the all the interfaces if you are also just checking on the firewall mark?
Tuesday, June 5, 2012, 10:46:25 AM, you wrote:
> This is the ifconfig for our machine. We are trying to configure tproxy again on our machine.
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
Thank for your prompt reply. It was actually a firewall issue. The TS server was not configured to accept packets on port 80. Once I removed the firewall settings, it started to work.
And as u mentioned, I don't think we would require that man rules in the ip rule list. I removed the unnecessary ones.
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Thursday, June 07, 2012 8:31 AM
To: users@trafficserver.apache.org
Subject: Re: Configuring traffic server on transparent proxy mode.
Could you provide some information about what the end result you are looking for? E.g. where are the clients, where are the origin servers / internet, which network paths should be transparent?
Unfortunately I am on vacation this week and so will not be particularly responsive.
My first comment would be that I have had not much success with using "socket" in my iptables rules. I think --sport 80 is better. One problem is that SYN/ACK may not be considered on a socket because it has not yet been established.
You seem to have a lot of rules in your ip rule list - why check for the all the interfaces if you are also just checking on the firewall mark?
Tuesday, June 5, 2012, 10:46:25 AM, you wrote:
> This is the ifconfig for our machine. We are trying to configure tproxy again on our machine.
Re: Configuring traffic server on transparent proxy mode.
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
Could you provide some information about what the end result you are looking for? E.g. where are the clients, where are the origin servers / internet, which network paths should be transparent?
Unfortunately I am on vacation this week and so will not be particularly responsive.
My first comment would be that I have had not much success with using "socket" in my iptables rules. I think --sport 80 is better. One problem is that SYN/ACK may not be considered on a socket because it has not yet been established.
You seem to have a lot of rules in your ip rule list - why check for the all the interfaces if you are also just checking on the firewall mark?
Tuesday, June 5, 2012, 10:46:25 AM, you wrote:
> This is the ifconfig for our machine. We are trying to configure tproxy again on our machine.