I'll try to take a look. Did the slides help at all? On Tue, Jul 2, 2019 at 9:52 PM Dk Jack <dnj0...@gmail.com> wrote:
> Hi All, > Can someone take a look at the iptables trace below and see if I am making > an error with my ATS linux bridge mode configuration? I've been trying to > configure ATS in linux bridge mode but have been unsuccessful. I think I've > followed the documentation to the dot. However, the packets are not making > it up the linux stack. Any insight is really appreciated... thanks. > > Dk. > > OS: Centos 7.6 > > Jul 2 22:43:05 localhost kernel: TRACE: raw:PREROUTING:policy:2 IN=enp2s0 > OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 SRC=192.168.10.200 > DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61384 DF PROTO=TCP > SPT=38720 DPT=80 SEQ=1391248160 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT > (020405B40402080A19FF2CE80000000001030307) > Jul 2 22:43:05 localhost kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp2s0 > OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 SRC=192.168.10.200 > DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61384 DF PROTO=TCP > SPT=38720 DPT=80 SEQ=1391248160 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT > (020405B40402080A19FF2CE80000000001030307) > > Bridge tables: > [root@localhost log]# ebtables -t broute -L > Bridge table: broute > > Bridge chain: BROUTING, entries: 2, policy: ACCEPT > -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP > -p IPv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP > [root@localhost log]# > > Ip tables: > > [root@localhost log]# iptables -t mangle -L -n --line-numbers > Chain PREROUTING (policy ACCEPT) > num target prot opt source destination > 1 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1 > 2 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > spt:80 MARK or 0x1 > > Chain INPUT (policy ACCEPT) > num target prot opt source destination > > Chain FORWARD (policy ACCEPT) > num target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > num target prot opt source destination > > > All commands: > brctl addbr br0 > brctl stp br0 off > brctl addif br0 enp2s0 > brctl addif br0 enp1s0f3 > ifconfig enp2s0 0 0.0.0.0 > ifconfig enp1s0f3 0 0.0.0.0 > ifconfig br0 0.0.0.0 > ifconfig br0 192.168.150.150 netmask 255.255.255.0 up > ebtables -t broute -F > ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j > redirect --redirect-target DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j > redirect --redirect-target DROP > iptables -t mangle -A PREROUTING -i enp2s0 -p tcp -m tcp --dport 80 -j > TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1 > iptables -t mangle -A PREROUTING -i enp1s0f3 -p tcp -m tcp --sport 80 -j > MARK --set-mark 1/1 > ip rule add fwmark 1/1 table 1 > ip route add local 0.0.0.0/0 dev lo table 1 > > On Mon, Jun 24, 2019 at 4:49 PM Dk Jack <dnj0...@gmail.com> wrote: > > > I disabled rp_filter. However, I see no change in behavior. The kernel > > seems to be dropping it after picking it up from the interface. I can see > > the SYN when I do tcpdump on the physical interface. However, I don't see > > it on bridge interface (br0). Not sure if that offers a clue. I flushed > all > > the filters as recommended in the debug section. Still no luck... > > > > On Mon, Jun 24, 2019 at 10:45 AM Dk Jack <dnj0...@gmail.com> wrote: > > > >> Ah! Yeah, I think you are taking about reverse path filter. I remember > >> checking for it. But I’ll check again. > >> > >> Dk. > >> > >> > On Jun 24, 2019, at 8:31 AM, SUSAN HINRICHS <shinr...@ieee.org> > wrote: > >> > > >> > Rp_filter is a reverse proxy filter. If enabled, which it is by > >> default, it > >> > will drop packets that show up on unexpected interfaces. May not be > an > >> > issue in the bridge case, but something to look into. > >> > > >> >> On Sun, Jun 23, 2019, 11:54 PM Dk Jack <dnj0...@gmail.com> wrote: > >> >> > >> >> Hi Susan, > >> >> yes, I've enabled ip_forward. What's an rp_filter? Haven't checked > >> >> /var/log/messages... > >> >> > >> >> Bhasker. > >> >> > >> >> > >> >>> On Sun, Jun 23, 2019 at 8:01 PM SUSAN HINRICHS <shinr...@ieee.org> > >> wrote: > >> >>> > >> >>> It seems like it takes me a couple days of fiddling each time I have > >> to > >> >> set > >> >>> up transparent mode. > >> >>> > >> >>> Have you enabled ip_forward? Have you disabled rp_filter? Are you > >> >> seeing > >> >>> Martian messages in your /bar/log/messages? > >> >>> > >> >>>> On Sun, Jun 23, 2019, 7:23 PM Dk Jack <dnj0...@gmail.com> wrote: > >> >>>> > >> >>>> Hi, > >> >>>> I am trying to test ATS in transparent proxy mode. I am using the > >> >> inline > >> >>>> linux bridge mode. It doesn't seem to work even though I made the > >> >> changes > >> >>>> as specified in the ATS documentation. My configuration is shown > >> below. > >> >>> The > >> >>>> request seems to come to the bridge device, however, the packet is > >> not > >> >>>> making up the stack to ATS. The device receive the TCP SYN, > however, > >> >> it's > >> >>>> not getting forwarded up the stack to ATS. Am I doing something > wrong > >> >> in > >> >>> my > >> >>>> configuration or otherwise? Thanks for the help... > >> >>>> > >> >>>> Dk. > >> >>>> > >> >>>> > >> >>>> ----- tshark output ---- > >> >>>> > >> >>>> [root@testserver03 ~]# tshark -i eth1 port 80 -nn > >> >>>> Running as user "root" and group "root". This could be dangerous. > >> >>>> Capturing on 'eth1' > >> >>>> 1 0.000000000 192.168.20.200 -> 192.168.20.50 TCP 74 54754 > 80 > >> [SYN] > >> >>>> Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=253488830 TSecr=0 > >> >> WS=128 > >> >>>> 2 1.001891063 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP > >> >>> Retransmission] > >> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 > >> >>> TSval=253489832 > >> >>>> TSecr=0 WS=128 > >> >>>> 3 3.005951357 192.168.20.200 -> 192.168.20.50 TCP 74 [TCP > >> >>> Retransmission] > >> >>>> 54754 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 > >> >>> TSval=253491836 > >> >>>> TSecr=0 WS=128 > >> >>>> > >> >>>> ----- Config ----- > >> >>>> brctl addbr br0 > >> >>>> brctl stp br0 off > >> >>>> brctl addif br0 eth1 > >> >>>> brctl addif br0 eth2 > >> >>>> ifconfig br0 0.0.0.0 > >> >>>> ifconfig eth1 0 0.0.0.0 > >> >>>> ifconfig eth2 0 0.0.0.0 > >> >>>> ifconfig br0 192.168.10.100 netmask 255.255.255.0 up > >> >>>> ip route add default via 192.168.10.200 > >> >>>> ebtables -t broute -F > >> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 > >> -j > >> >>>> redirect --redirect-target DROP > >> >>>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 > >> -j > >> >>>> redirect --redirect-target DROP > >> >>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 > -j > >> >>> TPROXY > >> >>>> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1 > >> >>>> iptables -t mangle -A PREROUTING -i eth2 -p tcp -m tcp --sport 80 > -j > >> >> MARK > >> >>>> --set-mark 1/1 > >> >>>> ip rule add fwmark 1/1 table 1 > >> >>>> ip route add local 0.0.0.0/0 dev lo table 1 > >> >>>> > >> >>> > >> >> > >> > > >
