You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@trafficserver.apache.org by "Alan M. Carroll" <am...@network-geographics.com> on 2011/01/04 03:37:30 UTC

Re: transparent proxy document problems

I've tried setting it up again but I am having problems as well. When I get it working, I will update the documentation and (hopefully!) provide further hints for you.

Friday, December 31, 2010, 7:57:07 AM, you wrote:

> yes, the clients is attached to interface eth1 in router mode, and
> the clients client can access origin server in bridge mode, with out
> ebtables / iptables changes.
> The two ebtables commands can indeed  intercept the packet/frame,  but
> I am not sure whether the iptables commands work or not.

> My router configuration:
>       iptables -F
>       iptables - t nat -F
>       iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
>       iptables –append FORWARD –in-interface eth1 -j ACCEPT
>       echo 1 > /proc/sys/net/ipv4/ip_forward
>       .... # commands according to the "Inline in linux router" document





> 2010/12/30 Alan M. Carroll <am...@network-geographics.com>:
>> Thursday, December 30, 2010, 3:44:00 AM, you wrote:

>>> Thanks for your reply.
>>> Yes, I set up the policy routing, according to the "Inline on Linux
>>> bridge" document, but it did not work.  The way the "Inline on a Linux
>>> router" document tells us did not work neither. The ats just can not
>>> accept any request in transparent mode.

>> Are you certain that the client is attached to interface eth1? The treatment of the client side and origin server side interfaces is not symmetric.

>> Does the bridge work without ATS and the ebtables / iptables changes?

Re: transparent proxy document problems

Posted by "Alan M. Carroll" <am...@network-geographics.com>.

I have ATS working in fully transparent mode on a bridged Linux box once again.

Could you check the FILTER chain to make sure that's not preventing connections?

Just to double check, you could do HTTP requests across the bridge before trying to get ATS to work?

Here are some command outputs from my working system. You should check them against yours.

[root@tidus ~]# iptables-save
# Generated by iptables-save v1.4.7 on Mon Jan  3 21:48:59 2011
*mangle
:PREROUTING ACCEPT [62665:33268149]
:INPUT ACCEPT [47460:28434552]
:FORWARD ACCEPT [22286:5671065]
:OUTPUT ACCEPT [38554:11735201]
:POSTROUTING ACCEPT [60855:17406859]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A PREROUTING -i eth0 -p tcp -m tcp --sport 80 -j MARK --set-xmark 0x1/0x1
COMMIT
# Completed on Mon Jan  3 21:48:59 2011
# Generated by iptables-save v1.4.7 on Mon Jan  3 21:48:59 2011
*filter
:INPUT ACCEPT [47484:28436623]
:FORWARD ACCEPT [22333:5679872]
:OUTPUT ACCEPT [38568:11736735]
COMMIT
# Completed on Mon Jan  3 21:48:59 2011


[root@tidus ~]# ebtables-save
# Generated by ebtables-save v1.0 on Mon Jan  3 21:49:15 CST 2011
*broute
:BROUTING ACCEPT
-A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect  --redirect-target
DROP
-A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j redirect  --redirect-target
DROP

*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT

[root@tidus ~]# ip rule show
0:      from all lookup local
32763:  from all fwmark 0x1/0x1 lookup 1
32766:  from all lookup main
32767:  from all lookup default

[root@tidus ~]# ip route show table 1
local default dev lo  scope host