You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Dk Jack <dn...@gmail.com> on 2019/06/24 00:23:17 UTC
transparent proxy
Hi,
I am trying to test ATS in transparent proxy mode. I am using the inline
linux bridge mode. It doesn't seem to work even though I made the changes
as specified in the ATS documentation. My configuration is shown below. The
request seems to come to the bridge device, however, the packet is not
making up the stack to ATS. The device receive the TCP SYN, however, it's
not getting forwarded up the stack to ATS. Am I doing something wrong in my
configuration or otherwise? Thanks for the help...
Dk.
----- tshark output ----
[root@testserver03 ~]# tshark -i eth1 port 80 -nn
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth1'
1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80 [SYN]
Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0 WS=128
2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP Retransmission]
54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253489832
TSecr=0 WS=128
3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP Retransmission]
54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253491836
TSecr=0 WS=128
----- Config -----
brctl addbr br0
brctl stp br0 off
brctl addif br0 eth1
brctl addif br0 eth2
ifconfig br0 0.0.0.0
ifconfig eth1 0 0.0.0.0
ifconfig eth2 0 0.0.0.0
ifconfig br0 192.168.10.100 netmask 255.255.255.0 up
ip route add default via 192.168.10.200
ebtables -t broute -F
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j
redirect --redirect-target DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j
redirect --redirect-target DROP
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY
--on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 -j MARK
--set-mark 1/1
ip rule add fwmark 1/1 table 1
ip route add local 0.0.0.0/0 dev lo table 1
Re: transparent proxy
Posted by Alan Carroll <so...@verizonmedia.com.INVALID>.
I don't think this went through so I'm sending it again.
These are slides from an ApacheCon talk I gave about transparency. Among
the details is a nice check list of things to check when it doesn't work.
https://www.dropbox.com/sh/h7erczfbt8ug8kn/AADJAqNz_xizurIHE6hx8Q8ka?preview=ApacheCon-2013.pdf
On Mon, Jun 24, 2019 at 12:45 PM Dk Jack <dn...@gmail.com> wrote:
> Ah! Yeah, I think you are taking about reverse path filter. I remember
> checking for it. But I’ll check again.
>
> Dk.
>
> > On Jun 24, 2019, at 8:31 AM, SUSAN HINRICHS <sh...@ieee.org> wrote:
> >
> > Rp_filter is a reverse proxy filter. If enabled, which it is by default,
> it
> > will drop packets that show up on unexpected interfaces. May not be an
> > issue in the bridge case, but something to look into.
> >
> >> On Sun, Jun 23, 2019, 11:54 PM Dk Jack <dn...@gmail.com> wrote:
> >>
> >> Hi Susan,
> >> yes, I've enabled ip_forward. What's an rp_filter? Haven't checked
> >> /var/log/messages...
> >>
> >> Bhasker.
> >>
> >>
> >>> On Sun, Jun 23, 2019 at 8:01 PM SUSAN HINRICHS <sh...@ieee.org>
> wrote:
> >>>
> >>> It seems like it takes me a couple days of fiddling each time I have to
> >> set
> >>> up transparent mode.
> >>>
> >>> Have you enabled ip_forward? Have you disabled rp_filter? Are you
> >> seeing
> >>> Martian messages in your /bar/log/messages?
> >>>
> >>>> On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dn...@gmail.com> wrote:
> >>>>
> >>>> Hi,
> >>>> I am trying to test ATS in transparent proxy mode. I am using the
> >> inline
> >>>> linux bridge mode. It doesn't seem to work even though I made the
> >> changes
> >>>> as specified in the ATS documentation. My configuration is shown
> below.
> >>> The
> >>>> request seems to come to the bridge device, however, the packet is not
> >>>> making up the stack to ATS. The device receive the TCP SYN, however,
> >> it's
> >>>> not getting forwarded up the stack to ATS. Am I doing something wrong
> >> in
> >>> my
> >>>> configuration or otherwise? Thanks for the help...
> >>>>
> >>>> Dk.
> >>>>
> >>>>
> >>>> ----- tshark output ----
> >>>>
> >>>> [root@testserver03 ~]# tshark -i eth1 port 80 -nn
> >>>> Running as user "root" and group "root". This could be dangerous.
> >>>> Capturing on 'eth1'
> >>>> 1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80 [SYN]
> >>>> Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0
> >> WS=128
> >>>> 2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> >>> Retransmission]
> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> >>> TSval=253489832
> >>>> TSecr=0 WS=128
> >>>> 3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> >>> Retransmission]
> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> >>> TSval=253491836
> >>>> TSecr=0 WS=128
> >>>>
> >>>> ----- Config -----
> >>>> brctl addbr br0
> >>>> brctl stp br0 off
> >>>> brctl addif br0 eth1
> >>>> brctl addif br0 eth2
> >>>> ifconfig br0 0.0.0.0
> >>>> ifconfig eth1 0 0.0.0.0
> >>>> ifconfig eth2 0 0.0.0.0
> >>>> ifconfig br0 192.168.10.100 netmask 255.255.255.0 up
> >>>> ip route add default via 192.168.10.200
> >>>> ebtables -t broute -F
> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j
> >>>> redirect --redirect-target DROP
> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j
> >>>> redirect --redirect-target DROP
> >>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
> >>> TPROXY
> >>>> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> >>>> iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 -j
> >> MARK
> >>>> --set-mark 1/1
> >>>> ip rule add fwmark 1/1 table 1
> >>>> ip route add local 0.0.0.0/0 dev lo table 1
> >>>>
> >>>
> >>
>
Re: transparent proxy
Posted by Alan Carroll <so...@verizonmedia.com.INVALID>.
I'll try to take a look. Did the slides help at all?
On Tue, Jul 2, 2019 at 9:52 PM Dk Jack <dn...@gmail.com> wrote:
> Hi All,
> Can someone take a look at the iptables trace below and see if I am making
> an error with my ATS linux bridge mode configuration? I've been trying to
> configure ATS in linux bridge mode but have been unsuccessful. I think I've
> followed the documentation to the dot. However, the packets are not making
> it up the linux stack. Any insight is really appreciated... thanks.
>
> Dk.
>
> OS: Centos 7.6
>
> Jul 2 22:43:05 localhost kernel: TRACE: raw:PREROUTING:policy:2 IN=enp2s0
> OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 SRC=192.168.10.200
> DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61384 DF PROTO=TCP
> SPT=38720 DPT=80 SEQ=1391248160 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT
> (020405B40402080A19FF2CE80000000001030307)
> Jul 2 22:43:05 localhost kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp2s0
> OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 SRC=192.168.10.200
> DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61384 DF PROTO=TCP
> SPT=38720 DPT=80 SEQ=1391248160 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT
> (020405B40402080A19FF2CE80000000001030307)
>
> Bridge tables:
> [root@localhost log]# ebtables -t broute -L
> Bridge table: broute
>
> Bridge chain: BROUTING, entries: 2, policy: ACCEPT
> -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
> -p IPv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP
> [root@localhost log]#
>
> Ip tables:
>
> [root@localhost log]# iptables -t mangle -L -n --line-numbers
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1
> 2 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spt:80 MARK or 0x1
>
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> num target prot opt source destination
>
>
> All commands:
> brctl addbr br0
> brctl stp br0 off
> brctl addif br0 enp2s0
> brctl addif br0 enp1s0f3
> ifconfig enp2s0 0 0.0.0.0
> ifconfig enp1s0f3 0 0.0.0.0
> ifconfig br0 0.0.0.0
> ifconfig br0 192.168.150.150 netmask 255.255.255.0 up
> ebtables -t broute -F
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j
> redirect --redirect-target DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j
> redirect --redirect-target DROP
> iptables -t mangle -A PREROUTING -i enp2s0 -p tcp -m tcp --dport 80 -j
> TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> iptables -t mangle -A PREROUTING -i enp1s0f3 -p tcp -m tcp --sport 80 -j
> MARK --set-mark 1/1
> ip rule add fwmark 1/1 table 1
> ip route add local 0.0.0.0/0 dev lo table 1
>
> On Mon, Jun 24, 2019 at 4:49 PM Dk Jack <dn...@gmail.com> wrote:
>
> > I disabled rp_filter. However, I see no change in behavior. The kernel
> > seems to be dropping it after picking it up from the interface. I can see
> > the SYN when I do tcpdump on the physical interface. However, I don't see
> > it on bridge interface (br0). Not sure if that offers a clue. I flushed
> all
> > the filters as recommended in the debug section. Still no luck...
> >
> > On Mon, Jun 24, 2019 at 10:45 AM Dk Jack <dn...@gmail.com> wrote:
> >
> >> Ah! Yeah, I think you are taking about reverse path filter. I remember
> >> checking for it. But I’ll check again.
> >>
> >> Dk.
> >>
> >> > On Jun 24, 2019, at 8:31 AM, SUSAN HINRICHS <sh...@ieee.org>
> wrote:
> >> >
> >> > Rp_filter is a reverse proxy filter. If enabled, which it is by
> >> default, it
> >> > will drop packets that show up on unexpected interfaces. May not be
> an
> >> > issue in the bridge case, but something to look into.
> >> >
> >> >> On Sun, Jun 23, 2019, 11:54 PM Dk Jack <dn...@gmail.com> wrote:
> >> >>
> >> >> Hi Susan,
> >> >> yes, I've enabled ip_forward. What's an rp_filter? Haven't checked
> >> >> /var/log/messages...
> >> >>
> >> >> Bhasker.
> >> >>
> >> >>
> >> >>> On Sun, Jun 23, 2019 at 8:01 PM SUSAN HINRICHS <sh...@ieee.org>
> >> wrote:
> >> >>>
> >> >>> It seems like it takes me a couple days of fiddling each time I have
> >> to
> >> >> set
> >> >>> up transparent mode.
> >> >>>
> >> >>> Have you enabled ip_forward? Have you disabled rp_filter? Are you
> >> >> seeing
> >> >>> Martian messages in your /bar/log/messages?
> >> >>>
> >> >>>> On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dn...@gmail.com> wrote:
> >> >>>>
> >> >>>> Hi,
> >> >>>> I am trying to test ATS in transparent proxy mode. I am using the
> >> >> inline
> >> >>>> linux bridge mode. It doesn't seem to work even though I made the
> >> >> changes
> >> >>>> as specified in the ATS documentation. My configuration is shown
> >> below.
> >> >>> The
> >> >>>> request seems to come to the bridge device, however, the packet is
> >> not
> >> >>>> making up the stack to ATS. The device receive the TCP SYN,
> however,
> >> >> it's
> >> >>>> not getting forwarded up the stack to ATS. Am I doing something
> wrong
> >> >> in
> >> >>> my
> >> >>>> configuration or otherwise? Thanks for the help...
> >> >>>>
> >> >>>> Dk.
> >> >>>>
> >> >>>>
> >> >>>> ----- tshark output ----
> >> >>>>
> >> >>>> [root@testserver03 ~]# tshark -i eth1 port 80 -nn
> >> >>>> Running as user "root" and group "root". This could be dangerous.
> >> >>>> Capturing on 'eth1'
> >> >>>> 1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80
> >> [SYN]
> >> >>>> Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0
> >> >> WS=128
> >> >>>> 2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> >> >>> Retransmission]
> >> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> >> >>> TSval=253489832
> >> >>>> TSecr=0 WS=128
> >> >>>> 3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> >> >>> Retransmission]
> >> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> >> >>> TSval=253491836
> >> >>>> TSecr=0 WS=128
> >> >>>>
> >> >>>> ----- Config -----
> >> >>>> brctl addbr br0
> >> >>>> brctl stp br0 off
> >> >>>> brctl addif br0 eth1
> >> >>>> brctl addif br0 eth2
> >> >>>> ifconfig br0 0.0.0.0
> >> >>>> ifconfig eth1 0 0.0.0.0
> >> >>>> ifconfig eth2 0 0.0.0.0
> >> >>>> ifconfig br0 192.168.10.100 netmask 255.255.255.0 up
> >> >>>> ip route add default via 192.168.10.200
> >> >>>> ebtables -t broute -F
> >> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80
> >> -j
> >> >>>> redirect --redirect-target DROP
> >> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80
> >> -j
> >> >>>> redirect --redirect-target DROP
> >> >>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80
> -j
> >> >>> TPROXY
> >> >>>> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> >> >>>> iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80
> -j
> >> >> MARK
> >> >>>> --set-mark 1/1
> >> >>>> ip rule add fwmark 1/1 table 1
> >> >>>> ip route add local 0.0.0.0/0 dev lo table 1
> >> >>>>
> >> >>>
> >> >>
> >>
> >
>
Re: transparent proxy
Posted by Dk Jack <dn...@gmail.com>.
Hi All,
Can someone take a look at the iptables trace below and see if I am making
an error with my ATS linux bridge mode configuration? I've been trying to
configure ATS in linux bridge mode but have been unsuccessful. I think I've
followed the documentation to the dot. However, the packets are not making
it up the linux stack. Any insight is really appreciated... thanks.
Dk.
OS: Centos 7.6
Jul 2 22:43:05 localhost kernel: TRACE: raw:PREROUTING:policy:2 IN=enp2s0
OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 SRC=192.168.10.200
DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61384 DF PROTO=TCP
SPT=38720 DPT=80 SEQ=1391248160 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT
(020405B40402080A19FF2CE80000000001030307)
Jul 2 22:43:05 localhost kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp2s0
OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 SRC=192.168.10.200
DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61384 DF PROTO=TCP
SPT=38720 DPT=80 SEQ=1391248160 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT
(020405B40402080A19FF2CE80000000001030307)
Bridge tables:
[root@localhost log]# ebtables -t broute -L
Bridge table: broute
Bridge chain: BROUTING, entries: 2, policy: ACCEPT
-p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
-p IPv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP
[root@localhost log]#
Ip tables:
[root@localhost log]# iptables -t mangle -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1
2 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spt:80 MARK or 0x1
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
All commands:
brctl addbr br0
brctl stp br0 off
brctl addif br0 enp2s0
brctl addif br0 enp1s0f3
ifconfig enp2s0 0 0.0.0.0
ifconfig enp1s0f3 0 0.0.0.0
ifconfig br0 0.0.0.0
ifconfig br0 192.168.150.150 netmask 255.255.255.0 up
ebtables -t broute -F
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j
redirect --redirect-target DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j
redirect --redirect-target DROP
iptables -t mangle -A PREROUTING -i enp2s0 -p tcp -m tcp --dport 80 -j
TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
iptables -t mangle -A PREROUTING -i enp1s0f3 -p tcp -m tcp --sport 80 -j
MARK --set-mark 1/1
ip rule add fwmark 1/1 table 1
ip route add local 0.0.0.0/0 dev lo table 1
On Mon, Jun 24, 2019 at 4:49 PM Dk Jack <dn...@gmail.com> wrote:
> I disabled rp_filter. However, I see no change in behavior. The kernel
> seems to be dropping it after picking it up from the interface. I can see
> the SYN when I do tcpdump on the physical interface. However, I don't see
> it on bridge interface (br0). Not sure if that offers a clue. I flushed all
> the filters as recommended in the debug section. Still no luck...
>
> On Mon, Jun 24, 2019 at 10:45 AM Dk Jack <dn...@gmail.com> wrote:
>
>> Ah! Yeah, I think you are taking about reverse path filter. I remember
>> checking for it. But I’ll check again.
>>
>> Dk.
>>
>> > On Jun 24, 2019, at 8:31 AM, SUSAN HINRICHS <sh...@ieee.org> wrote:
>> >
>> > Rp_filter is a reverse proxy filter. If enabled, which it is by
>> default, it
>> > will drop packets that show up on unexpected interfaces. May not be an
>> > issue in the bridge case, but something to look into.
>> >
>> >> On Sun, Jun 23, 2019, 11:54 PM Dk Jack <dn...@gmail.com> wrote:
>> >>
>> >> Hi Susan,
>> >> yes, I've enabled ip_forward. What's an rp_filter? Haven't checked
>> >> /var/log/messages...
>> >>
>> >> Bhasker.
>> >>
>> >>
>> >>> On Sun, Jun 23, 2019 at 8:01 PM SUSAN HINRICHS <sh...@ieee.org>
>> wrote:
>> >>>
>> >>> It seems like it takes me a couple days of fiddling each time I have
>> to
>> >> set
>> >>> up transparent mode.
>> >>>
>> >>> Have you enabled ip_forward? Have you disabled rp_filter? Are you
>> >> seeing
>> >>> Martian messages in your /bar/log/messages?
>> >>>
>> >>>> On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dn...@gmail.com> wrote:
>> >>>>
>> >>>> Hi,
>> >>>> I am trying to test ATS in transparent proxy mode. I am using the
>> >> inline
>> >>>> linux bridge mode. It doesn't seem to work even though I made the
>> >> changes
>> >>>> as specified in the ATS documentation. My configuration is shown
>> below.
>> >>> The
>> >>>> request seems to come to the bridge device, however, the packet is
>> not
>> >>>> making up the stack to ATS. The device receive the TCP SYN, however,
>> >> it's
>> >>>> not getting forwarded up the stack to ATS. Am I doing something wrong
>> >> in
>> >>> my
>> >>>> configuration or otherwise? Thanks for the help...
>> >>>>
>> >>>> Dk.
>> >>>>
>> >>>>
>> >>>> ----- tshark output ----
>> >>>>
>> >>>> [root@testserver03 ~]# tshark -i eth1 port 80 -nn
>> >>>> Running as user "root" and group "root". This could be dangerous.
>> >>>> Capturing on 'eth1'
>> >>>> 1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80
>> [SYN]
>> >>>> Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0
>> >> WS=128
>> >>>> 2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
>> >>> Retransmission]
>> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
>> >>> TSval=253489832
>> >>>> TSecr=0 WS=128
>> >>>> 3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
>> >>> Retransmission]
>> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
>> >>> TSval=253491836
>> >>>> TSecr=0 WS=128
>> >>>>
>> >>>> ----- Config -----
>> >>>> brctl addbr br0
>> >>>> brctl stp br0 off
>> >>>> brctl addif br0 eth1
>> >>>> brctl addif br0 eth2
>> >>>> ifconfig br0 0.0.0.0
>> >>>> ifconfig eth1 0 0.0.0.0
>> >>>> ifconfig eth2 0 0.0.0.0
>> >>>> ifconfig br0 192.168.10.100 netmask 255.255.255.0 up
>> >>>> ip route add default via 192.168.10.200
>> >>>> ebtables -t broute -F
>> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80
>> -j
>> >>>> redirect --redirect-target DROP
>> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80
>> -j
>> >>>> redirect --redirect-target DROP
>> >>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
>> >>> TPROXY
>> >>>> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
>> >>>> iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 -j
>> >> MARK
>> >>>> --set-mark 1/1
>> >>>> ip rule add fwmark 1/1 table 1
>> >>>> ip route add local 0.0.0.0/0 dev lo table 1
>> >>>>
>> >>>
>> >>
>>
>
Re: transparent proxy
Posted by Dk Jack <dn...@gmail.com>.
I disabled rp_filter. However, I see no change in behavior. The kernel
seems to be dropping it after picking it up from the interface. I can see
the SYN when I do tcpdump on the physical interface. However, I don't see
it on bridge interface (br0). Not sure if that offers a clue. I flushed all
the filters as recommended in the debug section. Still no luck...
On Mon, Jun 24, 2019 at 10:45 AM Dk Jack <dn...@gmail.com> wrote:
> Ah! Yeah, I think you are taking about reverse path filter. I remember
> checking for it. But I’ll check again.
>
> Dk.
>
> > On Jun 24, 2019, at 8:31 AM, SUSAN HINRICHS <sh...@ieee.org> wrote:
> >
> > Rp_filter is a reverse proxy filter. If enabled, which it is by default,
> it
> > will drop packets that show up on unexpected interfaces. May not be an
> > issue in the bridge case, but something to look into.
> >
> >> On Sun, Jun 23, 2019, 11:54 PM Dk Jack <dn...@gmail.com> wrote:
> >>
> >> Hi Susan,
> >> yes, I've enabled ip_forward. What's an rp_filter? Haven't checked
> >> /var/log/messages...
> >>
> >> Bhasker.
> >>
> >>
> >>> On Sun, Jun 23, 2019 at 8:01 PM SUSAN HINRICHS <sh...@ieee.org>
> wrote:
> >>>
> >>> It seems like it takes me a couple days of fiddling each time I have to
> >> set
> >>> up transparent mode.
> >>>
> >>> Have you enabled ip_forward? Have you disabled rp_filter? Are you
> >> seeing
> >>> Martian messages in your /bar/log/messages?
> >>>
> >>>> On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dn...@gmail.com> wrote:
> >>>>
> >>>> Hi,
> >>>> I am trying to test ATS in transparent proxy mode. I am using the
> >> inline
> >>>> linux bridge mode. It doesn't seem to work even though I made the
> >> changes
> >>>> as specified in the ATS documentation. My configuration is shown
> below.
> >>> The
> >>>> request seems to come to the bridge device, however, the packet is not
> >>>> making up the stack to ATS. The device receive the TCP SYN, however,
> >> it's
> >>>> not getting forwarded up the stack to ATS. Am I doing something wrong
> >> in
> >>> my
> >>>> configuration or otherwise? Thanks for the help...
> >>>>
> >>>> Dk.
> >>>>
> >>>>
> >>>> ----- tshark output ----
> >>>>
> >>>> [root@testserver03 ~]# tshark -i eth1 port 80 -nn
> >>>> Running as user "root" and group "root". This could be dangerous.
> >>>> Capturing on 'eth1'
> >>>> 1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80 [SYN]
> >>>> Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0
> >> WS=128
> >>>> 2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> >>> Retransmission]
> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> >>> TSval=253489832
> >>>> TSecr=0 WS=128
> >>>> 3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> >>> Retransmission]
> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> >>> TSval=253491836
> >>>> TSecr=0 WS=128
> >>>>
> >>>> ----- Config -----
> >>>> brctl addbr br0
> >>>> brctl stp br0 off
> >>>> brctl addif br0 eth1
> >>>> brctl addif br0 eth2
> >>>> ifconfig br0 0.0.0.0
> >>>> ifconfig eth1 0 0.0.0.0
> >>>> ifconfig eth2 0 0.0.0.0
> >>>> ifconfig br0 192.168.10.100 netmask 255.255.255.0 up
> >>>> ip route add default via 192.168.10.200
> >>>> ebtables -t broute -F
> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j
> >>>> redirect --redirect-target DROP
> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j
> >>>> redirect --redirect-target DROP
> >>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
> >>> TPROXY
> >>>> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> >>>> iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 -j
> >> MARK
> >>>> --set-mark 1/1
> >>>> ip rule add fwmark 1/1 table 1
> >>>> ip route add local 0.0.0.0/0 dev lo table 1
> >>>>
> >>>
> >>
>
Re: transparent proxy
Posted by Dk Jack <dn...@gmail.com>.
Ah! Yeah, I think you are taking about reverse path filter. I remember checking for it. But I’ll check again.
Dk.
> On Jun 24, 2019, at 8:31 AM, SUSAN HINRICHS <sh...@ieee.org> wrote:
>
> Rp_filter is a reverse proxy filter. If enabled, which it is by default, it
> will drop packets that show up on unexpected interfaces. May not be an
> issue in the bridge case, but something to look into.
>
>> On Sun, Jun 23, 2019, 11:54 PM Dk Jack <dn...@gmail.com> wrote:
>>
>> Hi Susan,
>> yes, I've enabled ip_forward. What's an rp_filter? Haven't checked
>> /var/log/messages...
>>
>> Bhasker.
>>
>>
>>> On Sun, Jun 23, 2019 at 8:01 PM SUSAN HINRICHS <sh...@ieee.org> wrote:
>>>
>>> It seems like it takes me a couple days of fiddling each time I have to
>> set
>>> up transparent mode.
>>>
>>> Have you enabled ip_forward? Have you disabled rp_filter? Are you
>> seeing
>>> Martian messages in your /bar/log/messages?
>>>
>>>> On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dn...@gmail.com> wrote:
>>>>
>>>> Hi,
>>>> I am trying to test ATS in transparent proxy mode. I am using the
>> inline
>>>> linux bridge mode. It doesn't seem to work even though I made the
>> changes
>>>> as specified in the ATS documentation. My configuration is shown below.
>>> The
>>>> request seems to come to the bridge device, however, the packet is not
>>>> making up the stack to ATS. The device receive the TCP SYN, however,
>> it's
>>>> not getting forwarded up the stack to ATS. Am I doing something wrong
>> in
>>> my
>>>> configuration or otherwise? Thanks for the help...
>>>>
>>>> Dk.
>>>>
>>>>
>>>> ----- tshark output ----
>>>>
>>>> [root@testserver03 ~]# tshark -i eth1 port 80 -nn
>>>> Running as user "root" and group "root". This could be dangerous.
>>>> Capturing on 'eth1'
>>>> 1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80 [SYN]
>>>> Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0
>> WS=128
>>>> 2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
>>> Retransmission]
>>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
>>> TSval=253489832
>>>> TSecr=0 WS=128
>>>> 3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
>>> Retransmission]
>>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
>>> TSval=253491836
>>>> TSecr=0 WS=128
>>>>
>>>> ----- Config -----
>>>> brctl addbr br0
>>>> brctl stp br0 off
>>>> brctl addif br0 eth1
>>>> brctl addif br0 eth2
>>>> ifconfig br0 0.0.0.0
>>>> ifconfig eth1 0 0.0.0.0
>>>> ifconfig eth2 0 0.0.0.0
>>>> ifconfig br0 192.168.10.100 netmask 255.255.255.0 up
>>>> ip route add default via 192.168.10.200
>>>> ebtables -t broute -F
>>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j
>>>> redirect --redirect-target DROP
>>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j
>>>> redirect --redirect-target DROP
>>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
>>> TPROXY
>>>> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
>>>> iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 -j
>> MARK
>>>> --set-mark 1/1
>>>> ip rule add fwmark 1/1 table 1
>>>> ip route add local 0.0.0.0/0 dev lo table 1
>>>>
>>>
>>
Re: transparent proxy
Posted by SUSAN HINRICHS <sh...@ieee.org>.
Rp_filter is a reverse proxy filter. If enabled, which it is by default, it
will drop packets that show up on unexpected interfaces. May not be an
issue in the bridge case, but something to look into.
On Sun, Jun 23, 2019, 11:54 PM Dk Jack <dn...@gmail.com> wrote:
> Hi Susan,
> yes, I've enabled ip_forward. What's an rp_filter? Haven't checked
> /var/log/messages...
>
> Bhasker.
>
>
> On Sun, Jun 23, 2019 at 8:01 PM SUSAN HINRICHS <sh...@ieee.org> wrote:
>
> > It seems like it takes me a couple days of fiddling each time I have to
> set
> > up transparent mode.
> >
> > Have you enabled ip_forward? Have you disabled rp_filter? Are you
> seeing
> > Martian messages in your /bar/log/messages?
> >
> > On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dn...@gmail.com> wrote:
> >
> > > Hi,
> > > I am trying to test ATS in transparent proxy mode. I am using the
> inline
> > > linux bridge mode. It doesn't seem to work even though I made the
> changes
> > > as specified in the ATS documentation. My configuration is shown below.
> > The
> > > request seems to come to the bridge device, however, the packet is not
> > > making up the stack to ATS. The device receive the TCP SYN, however,
> it's
> > > not getting forwarded up the stack to ATS. Am I doing something wrong
> in
> > my
> > > configuration or otherwise? Thanks for the help...
> > >
> > > Dk.
> > >
> > >
> > > ----- tshark output ----
> > >
> > > [root@testserver03 ~]# tshark -i eth1 port 80 -nn
> > > Running as user "root" and group "root". This could be dangerous.
> > > Capturing on 'eth1'
> > > 1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80 [SYN]
> > > Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0
> WS=128
> > > 2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> > Retransmission]
> > > 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> > TSval=253489832
> > > TSecr=0 WS=128
> > > 3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> > Retransmission]
> > > 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> > TSval=253491836
> > > TSecr=0 WS=128
> > >
> > > ----- Config -----
> > > brctl addbr br0
> > > brctl stp br0 off
> > > brctl addif br0 eth1
> > > brctl addif br0 eth2
> > > ifconfig br0 0.0.0.0
> > > ifconfig eth1 0 0.0.0.0
> > > ifconfig eth2 0 0.0.0.0
> > > ifconfig br0 192.168.10.100 netmask 255.255.255.0 up
> > > ip route add default via 192.168.10.200
> > > ebtables -t broute -F
> > > ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j
> > > redirect --redirect-target DROP
> > > ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j
> > > redirect --redirect-target DROP
> > > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
> > TPROXY
> > > --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> > > iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 -j
> MARK
> > > --set-mark 1/1
> > > ip rule add fwmark 1/1 table 1
> > > ip route add local 0.0.0.0/0 dev lo table 1
> > >
> >
>
Re: transparent proxy
Posted by Alan Carroll <so...@verizonmedia.com.INVALID>.
See if this helps - among other things it has a check list of issues to
check.
https://www.dropbox.com/sh/h7erczfbt8ug8kn/AADJAqNz_xizurIHE6hx8Q8ka
This is available from the wiki, under "Presentations", back from 2013.
On Sun, Jun 23, 2019 at 11:54 PM Dk Jack <dn...@gmail.com> wrote:
> Hi Susan,
> yes, I've enabled ip_forward. What's an rp_filter? Haven't checked
> /var/log/messages...
>
> Bhasker.
>
>
> On Sun, Jun 23, 2019 at 8:01 PM SUSAN HINRICHS <sh...@ieee.org> wrote:
>
> > It seems like it takes me a couple days of fiddling each time I have to
> set
> > up transparent mode.
> >
> > Have you enabled ip_forward? Have you disabled rp_filter? Are you
> seeing
> > Martian messages in your /bar/log/messages?
> >
> > On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dn...@gmail.com> wrote:
> >
> > > Hi,
> > > I am trying to test ATS in transparent proxy mode. I am using the
> inline
> > > linux bridge mode. It doesn't seem to work even though I made the
> changes
> > > as specified in the ATS documentation. My configuration is shown below.
> > The
> > > request seems to come to the bridge device, however, the packet is not
> > > making up the stack to ATS. The device receive the TCP SYN, however,
> it's
> > > not getting forwarded up the stack to ATS. Am I doing something wrong
> in
> > my
> > > configuration or otherwise? Thanks for the help...
> > >
> > > Dk.
> > >
> > >
> > > ----- tshark output ----
> > >
> > > [root@testserver03 ~]# tshark -i eth1 port 80 -nn
> > > Running as user "root" and group "root". This could be dangerous.
> > > Capturing on 'eth1'
> > > 1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80 [SYN]
> > > Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0
> WS=128
> > > 2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> > Retransmission]
> > > 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> > TSval=253489832
> > > TSecr=0 WS=128
> > > 3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> > Retransmission]
> > > 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> > TSval=253491836
> > > TSecr=0 WS=128
> > >
> > > ----- Config -----
> > > brctl addbr br0
> > > brctl stp br0 off
> > > brctl addif br0 eth1
> > > brctl addif br0 eth2
> > > ifconfig br0 0.0.0.0
> > > ifconfig eth1 0 0.0.0.0
> > > ifconfig eth2 0 0.0.0.0
> > > ifconfig br0 192.168.10.100 netmask 255.255.255.0 up
> > > ip route add default via 192.168.10.200
> > > ebtables -t broute -F
> > > ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j
> > > redirect --redirect-target DROP
> > > ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j
> > > redirect --redirect-target DROP
> > > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
> > TPROXY
> > > --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> > > iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 -j
> MARK
> > > --set-mark 1/1
> > > ip rule add fwmark 1/1 table 1
> > > ip route add local 0.0.0.0/0 dev lo table 1
> > >
> >
>
Re: transparent proxy
Posted by Dk Jack <dn...@gmail.com>.
Hi Susan,
yes, I've enabled ip_forward. What's an rp_filter? Haven't checked
/var/log/messages...
Bhasker.
On Sun, Jun 23, 2019 at 8:01 PM SUSAN HINRICHS <sh...@ieee.org> wrote:
> It seems like it takes me a couple days of fiddling each time I have to set
> up transparent mode.
>
> Have you enabled ip_forward? Have you disabled rp_filter? Are you seeing
> Martian messages in your /bar/log/messages?
>
> On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dn...@gmail.com> wrote:
>
> > Hi,
> > I am trying to test ATS in transparent proxy mode. I am using the inline
> > linux bridge mode. It doesn't seem to work even though I made the changes
> > as specified in the ATS documentation. My configuration is shown below.
> The
> > request seems to come to the bridge device, however, the packet is not
> > making up the stack to ATS. The device receive the TCP SYN, however, it's
> > not getting forwarded up the stack to ATS. Am I doing something wrong in
> my
> > configuration or otherwise? Thanks for the help...
> >
> > Dk.
> >
> >
> > ----- tshark output ----
> >
> > [root@testserver03 ~]# tshark -i eth1 port 80 -nn
> > Running as user "root" and group "root". This could be dangerous.
> > Capturing on 'eth1'
> > 1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80 [SYN]
> > Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0 WS=128
> > 2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> Retransmission]
> > 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> TSval=253489832
> > TSecr=0 WS=128
> > 3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP
> Retransmission]
> > 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
> TSval=253491836
> > TSecr=0 WS=128
> >
> > ----- Config -----
> > brctl addbr br0
> > brctl stp br0 off
> > brctl addif br0 eth1
> > brctl addif br0 eth2
> > ifconfig br0 0.0.0.0
> > ifconfig eth1 0 0.0.0.0
> > ifconfig eth2 0 0.0.0.0
> > ifconfig br0 192.168.10.100 netmask 255.255.255.0 up
> > ip route add default via 192.168.10.200
> > ebtables -t broute -F
> > ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j
> > redirect --redirect-target DROP
> > ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j
> > redirect --redirect-target DROP
> > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
> TPROXY
> > --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> > iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 -j MARK
> > --set-mark 1/1
> > ip rule add fwmark 1/1 table 1
> > ip route add local 0.0.0.0/0 dev lo table 1
> >
>
Re: transparent proxy
Posted by SUSAN HINRICHS <sh...@ieee.org>.
It seems like it takes me a couple days of fiddling each time I have to set
up transparent mode.
Have you enabled ip_forward? Have you disabled rp_filter? Are you seeing
Martian messages in your /bar/log/messages?
On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dn...@gmail.com> wrote:
> Hi,
> I am trying to test ATS in transparent proxy mode. I am using the inline
> linux bridge mode. It doesn't seem to work even though I made the changes
> as specified in the ATS documentation. My configuration is shown below. The
> request seems to come to the bridge device, however, the packet is not
> making up the stack to ATS. The device receive the TCP SYN, however, it's
> not getting forwarded up the stack to ATS. Am I doing something wrong in my
> configuration or otherwise? Thanks for the help...
>
> Dk.
>
>
> ----- tshark output ----
>
> [root@testserver03 ~]# tshark -i eth1 port 80 -nn
> Running as user "root" and group "root". This could be dangerous.
> Capturing on 'eth1'
> 1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80 [SYN]
> Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0 WS=128
> 2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP Retransmission]
> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253489832
> TSecr=0 WS=128
> 3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP Retransmission]
> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253491836
> TSecr=0 WS=128
>
> ----- Config -----
> brctl addbr br0
> brctl stp br0 off
> brctl addif br0 eth1
> brctl addif br0 eth2
> ifconfig br0 0.0.0.0
> ifconfig eth1 0 0.0.0.0
> ifconfig eth2 0 0.0.0.0
> ifconfig br0 192.168.10.100 netmask 255.255.255.0 up
> ip route add default via 192.168.10.200
> ebtables -t broute -F
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j
> redirect --redirect-target DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j
> redirect --redirect-target DROP
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY
> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 -j MARK
> --set-mark 1/1
> ip rule add fwmark 1/1 table 1
> ip route add local 0.0.0.0/0 dev lo table 1
>