Thank you :). I tried to follow your advice.
1. Changed records.config correctly. `8080:tr-full` 2. Flushed Iptables and add rules. sudo iptables -t mangle -N DIVERT sudo iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT sudo iptables -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 sudo iptables -A DIVERT -j MARK --set-xmark 0x1/0xffffffff sudo iptables -A DIVERT -j ACCEPT *IPTABLES* */opt/ts/bin$ sudo iptables --list -t mangle* Chain PREROUTING (policy ACCEPT) target prot opt source destination DIVERT tcp -- anywhere anywhere socket TPROXY tcp -- anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain DIVERT (1 references) target prot opt source destination MARK all -- anywhere anywhere MARK set 0x1 ACCEPT all -- anywhere anywhere sudo ip rule add fwmark 1 lookup 100 */opt/ts/bin$ ip rule show* 0: from all lookup local 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default can't ping outside from intranet client. Did I follow the steps correctly? Best Regards. Jaden. 2017-01-24 17:01 GMT+09:00 Muhammad Faisal <[email protected]>: > Hi, > Here is how the IP tables should be if you have compiled ATA with > transparent proxy support: > > Assuming you have used port 8080 or ATS > > :DIVERT - [0:0] > -A PREROUTING -p tcp -m socket -j DIVERT > -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 8080 --on-ip > 0.0.0.0 --tproxy-mark 0x1/0x1 > -A DIVERT -j MARK --set-xmark 0x1/0xffffffff > -A DIVERT -j ACCEPT > > > [root <at> ats ~]# ip rule show > 0: from all lookup local > 32765: from all fwmark 0x1 lookup 100 > 32766: from all lookup main > 32767: from all lookup default > > > ATS config: > ############################################################ > ################## > # Specify server addresses and ports to bind for HTTP and HTTPS. Docs: > # https://docs.trafficserver.apache.org/records.config# > proxy-config-http-server-ports > ############################################################ > ################## > CONFIG proxy.config.http.server_ports STRING 8080:tr-full > > > Building ATS for transparency — Apache Traffic Server 4.2.3 documentation > <https://docs.trafficserver.apache.org/en/4.2.x/admin/transparent-proxy/build.en.html> > > Building ATS for transparency — Apache Traffic Server 4.2.3 documentation > > <https://docs.trafficserver.apache.org/en/4.2.x/admin/transparent-proxy/build.en.html> > > Inline on a Linux router — Apache Traffic Server 5.3.2 documentation > <https://docs.trafficserver.apache.org/en/5.3.x/admin/transparent-proxy/router-inline.en.html> > > Inline on a Linux router — Apache Traffic Server 5.3.2 documentation > > <https://docs.trafficserver.apache.org/en/5.3.x/admin/transparent-proxy/router-inline.en.html> > > > Regards, > Faisal. > > > ------------------------------ > *From:* Rebirthing <[email protected]> > *To:* [email protected] > *Sent:* Tuesday, January 24, 2017 12:45 PM > *Subject:* Problem on Transparent-Proxy Configuration > > Hello. My name is Jaden, a developer in korea. > > I'm trying to configure Router-ATS Transparent Proxy. > > But it doesn't work and I couldn't figure out the problem. > > Please Help me. > > -Environments- > OS : Ubuntu 16.04 > ATS Version : Latest > Network Topology : > Internet ----- (ens33, 192.168.75.0/24) : ATS : (ens35, 172.16.113.0/24) > ---- Intranet > > iptables setting > > : > # iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE > # iptables -A FORWARD -i ens33 -o ens35 -m state --state > RELATED,ESTABLISHED -j ACCEPT > # iptables -A FORWARD -i ens35 -o ens33 -j ACCEPT > > # iptables -t mangle -A PREROUTING -i ens35 -p tcp -m tcp --dport 80 -j > TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1 > # iptables -t mangle -A PREROUTING -i ens33 --source 192.168.75.0/24 -j > ACCEPT > # iptables -t mangle -A PREROUTING -i ens33 --destination 192.168.75.0/24 -j > ACCEPT > # iptables -t mangle -A PREROUTING -i eth33 -p tcp -m tcp --sport 80 -j > MARK --set-mark 1/1 > # ip rule add fwmark 1/1 table 1 > # ip route add local 0.0.0.0/0 dev lo table 1 > > I checked the packets with wireshark. Only Tcp packets didn't pass through. > > DNS Querying is working but TCP not. > > Could you help me? > > Thank you. > > >
