This doesn't work for full transparency because you're not redirecting the return traffic. Traffic from the client is redirected up to ATS.
However, when ATS attempts to connect to the origin server *using the client IP address* the return traffic (with a *source* port of 80) will go right through the ATS server and arrive at the client which (because it's not connected to the origin server) will simply discard the packet. You need iptables -v -t MANGLE -A PREROUTING -p tcp --sport 80 -j TPROXY --tproxy mark 1/1 --on-port 8080 See here[1] for a bit more detail. This is why ">" (client side transparency) works, because in that case ATS uses its own IP address for the origin server connection and the return traffic is routed correctly. [1] http://people.apache.org/~amc/tiphares/router-inline.html Friday, June 10, 2011, 10:38:33 AM, you wrote: > -- > #!/bin/sh > IPTABLES=/sbin/iptables > ${IPTABLES} -v -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy > mark 0x1/0x1 --on-port 8080 > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > -- > Only thing is... I see a fair bit of load on the machine when the system is > doing virtually nothing. Shutting down ATS seems to stop that. Very curious.
