HAproxy transparent proxy and IPv6

Mon, 14 Oct 2019 04:30:02 -0700 

Hi,

I have setup my test-HAproxy-env according to

https://www.haproxy.com/blog/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/

I have setup the Firewall Rules for ipv4 and v6.

TEST testha1:~/svnconfig/etc/iptables# iptables -t mangle -vL
Chain PREROUTING (policy ACCEPT 163K packets, 291M bytes)
 pkts bytes target     prot opt in     out     source destination
 374K   68M DIVERT     tcp  --  any    any     anywhere anywhere             socket 

Chain DIVERT (1 references)
 pkts bytes target     prot opt in     out     source destination
 374K   68M MARK       all  --  any    any     anywhere anywhere             MARK set 0x1 
 374K   68M ACCEPT     all  --  any    any     anywhere anywhere


TEST testha1:~/svnconfig/etc/iptables# ip6tables -t mangle -vL
Chain PREROUTING (policy ACCEPT 409K packets, 788M bytes)
 pkts bytes target     prot opt in     out     source destination
 373K   75M DIVERT     tcp      any    any     anywhere anywhere             socket 

Chain DIVERT (1 references)
 pkts bytes target     prot opt in     out     source destination
 373K   75M MARK       all      any    any     anywhere anywhere             MARK set 0x1 
 373K   75M ACCEPT     all      any    any     anywhere anywhere


I have added the required ip cmds:

        post-up ip rule add fwmark 1 lookup 100
        post-up ip route add local 0.0.0.0/0 dev lo table 100
        post-up ip route add local ::/0 dev lo table 100

listen mail-test-submission
        bind 128.130.xx.yy:587 transparent name submission
        mode tcp
        source 0.0.0.0 usesrc clientip
        log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq 
        balance leastconn


That works like a charm.

In IPv6 I set it up accordingly:

listen mail-test-v6-submission
        bind 2001:629:xx:yy::zz:587 transparent name submission
        mode tcp
        source [::] usesrc clientip
        log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq 
        balance leastconn


There with the source line it fails to connect.
I see on the outside interface a Syn, Syn->Ack, Ack TCP flow, but on the inside (HAproxy to application Server) I see only Syn, Syn-Ack, Syn, Syn-Ack traffic. 

HAproxy (1.8.19-1, Debian Buster) is running as root.
Anyone has such a setup running and may be able to help. I haven't found any hints on this problem... 

Thanks
Philipp

--
-----------------------------------------------------------------------
DI Mag. Philipp Kolmann              mail: philipp.kolm...@tuwien.ac.at
Technische Universitaet Wien                   web: www.it.tuwien.ac.at
IT Solutions - Applications                      tel: +43(1)58801-42011
Operngasse 11, A-1040 Wien                                 DVR: 0005886
-----------------------------------------------------------------------

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to