On 12/29/2015 06:34 AM, Jacob W. Hiltz wrote: > Shorewall version 4.6.4.3 > > I am trying to configure Shorewall such that it will allow > HAProxy,running on the same machine, to pass through the connecting > clients IP (transparent mode). I’ve tried to adapt a modified version of > the squid transparent configuration using TProxy but am unable to > connect to the backend servers. > > - Shorewall is the gateway for the backend servers > - HAProxy is correctly configured > - Kernel support compiled "CONFIG_NETFILTER_TPROXY" > “CONFIG_NETFILTER_XT_TARGET_TPROXY" > > The below rules do fix my issue, allowing the connections. I am quite > new to Shorewall/IPTables but expect this to be somewhat of a tribal issue. > > iptables -t mangle -N DIVERT > iptables -t mangle -A PREROUTING -p tcp -m \ > socket -j DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > |
Sorry to be slow responding - holiday season has been very busy. Shorewall does not currently include support for HAProxy and I need to understand what part of the TPROXY support is preventing HAProxy from working. If you change your second rule to include '--transparent' after 'socket', does it still work? If so, I assume that adding '! ! --tcp-flags FIN,SYN,RST,ACK SYN' after '-p tcp' prevents it from working? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
