Hi, I have setup my test-HAproxy-env according to
https://www.haproxy.com/blog/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ I have setup the Firewall Rules for ipv4 and v6. TEST testha1:~/svnconfig/etc/iptables# iptables -t mangle -vL Chain PREROUTING (policy ACCEPT 163K packets, 291M bytes) pkts bytes target prot opt in out source destination374K 68M DIVERT tcp -- any any anywhere anywhere socket
Chain DIVERT (1 references) pkts bytes target prot opt in out source destination374K 68M MARK all -- any any anywhere anywhere MARK set 0x1
374K 68M ACCEPT all -- any any anywhere anywhere TEST testha1:~/svnconfig/etc/iptables# ip6tables -t mangle -vL Chain PREROUTING (policy ACCEPT 409K packets, 788M bytes) pkts bytes target prot opt in out source destination373K 75M DIVERT tcp any any anywhere anywhere socket
Chain DIVERT (1 references) pkts bytes target prot opt in out source destination373K 75M MARK all any any anywhere anywhere MARK set 0x1
373K 75M ACCEPT all any any anywhere anywhere I have added the required ip cmds: post-up ip rule add fwmark 1 lookup 100 post-up ip route add local 0.0.0.0/0 dev lo table 100 post-up ip route add local ::/0 dev lo table 100 listen mail-test-submission bind 128.130.xx.yy:587 transparent name submission mode tcp source 0.0.0.0 usesrc clientiplog-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
balance leastconn That works like a charm. In IPv6 I set it up accordingly: listen mail-test-v6-submission bind 2001:629:xx:yy::zz:587 transparent name submission mode tcp source [::] usesrc clientiplog-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
balance leastconn There with the source line it fails to connect.I see on the outside interface a Syn, Syn->Ack, Ack TCP flow, but on the inside (HAproxy to application Server) I see only Syn, Syn-Ack, Syn, Syn-Ack traffic.
HAproxy (1.8.19-1, Debian Buster) is running as root.Anyone has such a setup running and may be able to help. I haven't found any hints on this problem...
Thanks Philipp -- ----------------------------------------------------------------------- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 -----------------------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature