Re: transparent proxy

Sun, 23 Jun 2019 20:01:48 -0700 

It seems like it takes me a couple days of fiddling each time I have to set
up transparent mode.

Have you enabled ip_forward?  Have you disabled rp_filter?  Are you seeing
Martian messages in your /bar/log/messages?

On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dnj0...@gmail.com> wrote:

> Hi,
> I am trying to test ATS in transparent proxy mode. I am using the inline
> linux bridge mode. It doesn't seem to work even though I made the changes
> as specified in the ATS documentation. My configuration is shown below. The
> request seems to come to the bridge device, however, the packet is not
> making up the stack to ATS. The device receive the TCP SYN, however, it's
> not getting forwarded up the stack to ATS. Am I doing something wrong in my
> configuration or otherwise? Thanks for the help...
>
> Dk.
>
>
> ----- tshark output ----
>
> [root@testserver03 ~]# tshark -i eth1 port 80 -nn
> Running as user "root" and group "root". This could be dangerous.
> Capturing on 'eth1'
>   1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80 [SYN]
> Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0 WS=128
>   2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP Retransmission]
> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253489832
> TSecr=0 WS=128
>   3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP Retransmission]
> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253491836
> TSecr=0 WS=128
>
> ----- Config -----
> brctl addbr br0
> brctl stp br0 off
> brctl addif br0 eth1
> brctl addif br0 eth2
> ifconfig br0 0.0.0.0
> ifconfig eth1 0 0.0.0.0
> ifconfig eth2 0 0.0.0.0
> ifconfig br0 192.168.10.100 netmask 255.255.255.0 up
> ip route add default via 192.168.10.200
> ebtables -t broute -F
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j
> redirect --redirect-target DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j
> redirect --redirect-target DROP
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY
> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 -j MARK
> --set-mark 1/1
> ip rule add fwmark 1/1 table 1
> ip route add local 0.0.0.0/0 dev lo table 1
>

Reply via email to