Hi All, Can someone take a look at the iptables trace below and see if I am making an error with my ATS linux bridge mode configuration? I've been trying to configure ATS in linux bridge mode but have been unsuccessful. I think I've followed the documentation to the dot. However, the packets are not making it up the linux stack. Any insight is really appreciated... thanks.
Dk. OS: Centos 7.6 Jul 2 22:43:05 localhost kernel: TRACE: raw:PREROUTING:policy:2 IN=enp2s0 OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 SRC=192.168.10.200 DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61384 DF PROTO=TCP SPT=38720 DPT=80 SEQ=1391248160 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A19FF2CE80000000001030307) Jul 2 22:43:05 localhost kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp2s0 OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 SRC=192.168.10.200 DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61384 DF PROTO=TCP SPT=38720 DPT=80 SEQ=1391248160 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A19FF2CE80000000001030307) Bridge tables: [root@localhost log]# ebtables -t broute -L Bridge table: broute Bridge chain: BROUTING, entries: 2, policy: ACCEPT -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP -p IPv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP [root@localhost log]# Ip tables: [root@localhost log]# iptables -t mangle -L -n --line-numbers Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1 2 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK or 0x1 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination All commands: brctl addbr br0 brctl stp br0 off brctl addif br0 enp2s0 brctl addif br0 enp1s0f3 ifconfig enp2s0 0 0.0.0.0 ifconfig enp1s0f3 0 0.0.0.0 ifconfig br0 0.0.0.0 ifconfig br0 192.168.150.150 netmask 255.255.255.0 up ebtables -t broute -F ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP iptables -t mangle -A PREROUTING -i enp2s0 -p tcp -m tcp --dport 80 -j TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1 iptables -t mangle -A PREROUTING -i enp1s0f3 -p tcp -m tcp --sport 80 -j MARK --set-mark 1/1 ip rule add fwmark 1/1 table 1 ip route add local 0.0.0.0/0 dev lo table 1 On Mon, Jun 24, 2019 at 4:49 PM Dk Jack <dnj0...@gmail.com> wrote: > I disabled rp_filter. However, I see no change in behavior. The kernel > seems to be dropping it after picking it up from the interface. I can see > the SYN when I do tcpdump on the physical interface. However, I don't see > it on bridge interface (br0). Not sure if that offers a clue. I flushed all > the filters as recommended in the debug section. Still no luck... > > On Mon, Jun 24, 2019 at 10:45 AM Dk Jack <dnj0...@gmail.com> wrote: > >> Ah! Yeah, I think you are taking about reverse path filter. I remember >> checking for it. But I’ll check again. >> >> Dk. >> >> > On Jun 24, 2019, at 8:31 AM, SUSAN HINRICHS <shinr...@ieee.org> wrote: >> > >> > Rp_filter is a reverse proxy filter. If enabled, which it is by >> default, it >> > will drop packets that show up on unexpected interfaces. May not be an >> > issue in the bridge case, but something to look into. >> > >> >> On Sun, Jun 23, 2019, 11:54 PM Dk Jack <dnj0...@gmail.com> wrote: >> >> >> >> Hi Susan, >> >> yes, I've enabled ip_forward. What's an rp_filter? Haven't checked >> >> /var/log/messages... >> >> >> >> Bhasker. >> >> >> >> >> >>> On Sun, Jun 23, 2019 at 8:01 PM SUSAN HINRICHS <shinr...@ieee.org> >> wrote: >> >>> >> >>> It seems like it takes me a couple days of fiddling each time I have >> to >> >> set >> >>> up transparent mode. >> >>> >> >>> Have you enabled ip_forward? Have you disabled rp_filter? Are you >> >> seeing >> >>> Martian messages in your /bar/log/messages? >> >>> >> >>>> On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dnj0...@gmail.com> wrote: >> >>>> >> >>>> Hi, >> >>>> I am trying to test ATS in transparent proxy mode. I am using the >> >> inline >> >>>> linux bridge mode. It doesn't seem to work even though I made the >> >> changes >> >>>> as specified in the ATS documentation. My configuration is shown >> below. >> >>> The >> >>>> request seems to come to the bridge device, however, the packet is >> not >> >>>> making up the stack to ATS. The device receive the TCP SYN, however, >> >> it's >> >>>> not getting forwarded up the stack to ATS. Am I doing something wrong >> >> in >> >>> my >> >>>> configuration or otherwise? Thanks for the help... >> >>>> >> >>>> Dk. >> >>>> >> >>>> >> >>>> ----- tshark output ---- >> >>>> >> >>>> [root@testserver03 ~]# tshark -i eth1 port 80 -nn >> >>>> Running as user "root" and group "root". This could be dangerous. >> >>>> Capturing on 'eth1' >> >>>> 1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80 >> [SYN] >> >>>> Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0 >> >> WS=128 >> >>>> 2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP >> >>> Retransmission] >> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 >> >>> TSval=253489832 >> >>>> TSecr=0 WS=128 >> >>>> 3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP >> >>> Retransmission] >> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 >> >>> TSval=253491836 >> >>>> TSecr=0 WS=128 >> >>>> >> >>>> ----- Config ----- >> >>>> brctl addbr br0 >> >>>> brctl stp br0 off >> >>>> brctl addif br0 eth1 >> >>>> brctl addif br0 eth2 >> >>>> ifconfig br0 0.0.0.0 >> >>>> ifconfig eth1 0 0.0.0.0 >> >>>> ifconfig eth2 0 0.0.0.0 >> >>>> ifconfig br0 192.168.10.100 netmask 255.255.255.0 up >> >>>> ip route add default via 192.168.10.200 >> >>>> ebtables -t broute -F >> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 >> -j >> >>>> redirect --redirect-target DROP >> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 >> -j >> >>>> redirect --redirect-target DROP >> >>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j >> >>> TPROXY >> >>>> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1 >> >>>> iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 -j >> >> MARK >> >>>> --set-mark 1/1 >> >>>> ip rule add fwmark 1/1 table 1 >> >>>> ip route add local 0.0.0.0/0 dev lo table 1 >> >>>> >> >>> >> >> >> >
