For iptables I've added those directives: iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 111 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 111 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
And the output of "iptables -L -t mangle" is: Chain PREROUTING (policy ACCEPT) target prot opt source destination DIVERT tcp -- anywhere anywhere socket Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain DIVERT (1 references) target prot opt source destination MARK all -- anywhere anywhere MARK xset 0x6f/0xffffffff ACCEPT all -- anywhere anywhere Private network is on 192.168.0.XX (is an example). Thanks, Carlo -----Messaggio originale----- Da: Malcolm Turnbull [mailto:malc...@loadbalancer.org] Inviato: lunedì 11 maggio 2009 13.12 A: Carlo Granisso Cc: haproxy@formilux.org Oggetto: Re: Transparent proxy Carlo, Sorry got busy and forgot to post back to you, I was going to ask whats your output from : iptables -L -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK tcp -- 192.168.2.0/24 anywhere tcp dpt:http MARK set 0x1 DIVERT tcp -- anywhere anywhere socket Is the divert to socket in place? 2009/5/11 Carlo Granisso <c.grani...@dnshosting.it> > > Hello everybody, I have a problem with haproxy (1.3.17) and kernel > 2.6.29 > > I have successfully recompiled my kernel with TPROXY modules and installed haproxy (compiled from source with tproxy option enabled) and installed iptables 1.4.3 (that have tproxy patch). > Now I can't use transparent proxy function: if I leave in haproxy.cfg this line "source 0.0.0.0 usesrc clientip" haproxy say "503 - Service unavailable". > If I comment out the line, everything work fine (without transparent proxy). > > My situation: > > haproxy with two ethernet device: first one for public IP, sceond one > for private IP (192.168.XX.XX) two web server with one ethernet for each one connected to my private network. > > > > Have you got ideas or you can provide me examples? > > > Thanks, > > > Carlo -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)870 443 8779 http://www.loadbalancer.org/ No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.238 / Virus Database: 270.12.24/2107 - Release Date: 05/10/09 07:02:00