Hello,The issue is more related to IPtables not ATS apperently. I dont know
excatly on your network setup but if you have the following:
[Internet]-----eth1 192.168.1.109/24-----[ATS]--eth0-----[LAN Hosts
192.168.2.0/24]
IP forwarding should be enabled in case you want to use ATS machine as you
internet GW as well inline deployment then you would need to setup the NAT
correctly first and later configure for Tproxying:
echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables --flushiptables --table nat --flushiptables --delete-chainiptables
--table nat --delete-chainiptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o
eth1 -j SNAT --to 192.168.1.109iptables -A FORWARD -i eth0 -j ACCEPTiptables -A
INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPTiptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED
-j ACCEPTiptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
adjust according to your setup and verify the nat is working correctly. Better
do google as this list is primarily for ATS related questions. Regards, Faisal.
From: Rebirthing <[email protected]>
To: [email protected]; Muhammad Faisal <[email protected]>
Sent: Tuesday, January 24, 2017 2:20 PM
Subject: Re: Problem on Transparent-Proxy Configuration
Thank you :).
I tried to follow your advice.
1. Changed records.config correctly. `8080:tr-full`2. Flushed Iptables and add
rules.
sudo iptables -t mangle -N DIVERTsudo iptables -t mangle -A PREROUTING -p tcp
-m socket -j DIVERT sudo iptables -A PREROUTING -p tcp -m tcp --dport 80 -j
TPROXY --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 sudo iptables -A
DIVERT -j MARK --set-xmark 0x1/0xffffffff sudo iptables -A DIVERT -j ACCEPT
IPTABLES/opt/ts/bin$ sudo iptables --list -t mangleChain PREROUTING (policy
ACCEPT)target prot opt source destination DIVERT
tcp -- anywhere anywhere socketTPROXY tcp --
anywhere anywhere tcp dpt:http TPROXY redirect
0.0.0.0:8080 mark 0x1/0x1
Chain INPUT (policy ACCEPT)target prot opt source destination
Chain FORWARD (policy ACCEPT)target prot opt source
destination
Chain OUTPUT (policy ACCEPT)target prot opt source
destination
Chain POSTROUTING (policy ACCEPT)target prot opt source
destination
Chain DIVERT (1 references)target prot opt source destination
MARK all -- anywhere anywhere MARK set
0x1ACCEPT all -- anywhere anywhere
sudo ip rule add fwmark 1 lookup 100
/opt/ts/bin$ ip rule show0: from all lookup local 32765: from all fwmark 0x1
lookup 100 32766: from all lookup main 32767: from all lookup default
can't ping outside from intranet client.
Did I follow the steps correctly?
Best Regards.
Jaden.
2017-01-24 17:01 GMT+09:00 Muhammad Faisal <[email protected]>:
Hi,Here is how the IP tables should be if you have compiled ATA with
transparent proxy support:
Assuming you have used port 8080 or ATS
:DIVERT - [0:0] -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp
-m tcp --dport 80 -j TPROXY --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark
0x1/0x1 -A DIVERT -j MARK --set-xmark 0x1/0xffffffff -A DIVERT -j ACCEPT
[root <at> ats ~]# ip rule show0: from all lookup local32765: from all
fwmark 0x1 lookup 10032766: from all lookup main32767: from all lookup
default
ATS config:############################## ##############################
################### Specify server addresses and ports to bind for HTTP and
HTTPS. Docs:# https://docs.trafficserver. apache.org/records.config#
proxy-config-http-server-ports##############################
############################## ##################CONFIG
proxy.config.http.server_ports STRING 8080:tr-full
Building ATS for transparency — Apache Traffic Server 4.2.3 documentation
|
| |
Building ATS for transparency — Apache Traffic Server 4.2.3 documentation
| |
|
Inline on a Linux router — Apache Traffic Server 5.3.2 documentation
|
| |
Inline on a Linux router — Apache Traffic Server 5.3.2 documentation
| |
|
Regards, Faisal.
From: Rebirthing <[email protected]>
To: [email protected]
Sent: Tuesday, January 24, 2017 12:45 PM
Subject: Problem on Transparent-Proxy Configuration
Hello. My name is Jaden, a developer in korea.
I'm trying to configure Router-ATS Transparent Proxy.
But it doesn't work and I couldn't figure out the problem.
Please Help me.
-Environments-OS : Ubuntu 16.04ATS Version : LatestNetwork Topology : Internet
----- (ens33, 192.168.75.0/24) : ATS : (ens35, 172.16.113.0/24) ---- Intranet
iptables setting
:# iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE# iptables -A FORWARD
-i ens33 -o ens35 -m state --state RELATED,ESTABLISHED -j ACCEPT# iptables -A
FORWARD -i ens35 -o ens33 -j ACCEPT
# iptables -t mangle -A PREROUTING -i ens35 -p tcp -m tcp --dport 80 -j TPROXY
--on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1# iptables -t mangle -A
PREROUTING -i ens33 --source 192.168.75.0/24 -j ACCEPT# iptables -t mangle -A
PREROUTING -i ens33 --destination 192.168.75.0/24 -j ACCEPT# iptables -t
mangle -A PREROUTING -i eth33 -p tcp -m tcp --sport 80 -j MARK --set-mark 1/1#
ip rule add fwmark 1/1 table 1# ip route add local 0.0.0.0/0 dev lo table 1
I checked the packets with wireshark. Only Tcp packets didn't pass through.
DNS Querying is working but TCP not.
Could you help me?
Thank you.
