Mr. Alan,
I'm confused with your ebtables rules :
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
-j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
-j redirect --redirect-target DROP
While others use :
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
-j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
-j redirect --redirect-target ACCEPT
Please advice.
Regards,
Alvin
On 24/05/2012 6:51, Alan M. Carroll wrote:
I would use just server_ports for all port description information. It was put
in to do precisely that.
For iptables, a "--set-mark 0x1/0x1 -j ACCEPT" is effectively the same as your
DIVERT chain.
I don't use the "-m socket" because once a stream is established normal routing
will handle it. My iptables basically has two rules, one for --sport and one for --dport.
Thursday, May 24, 2012, 1:13:20 AM, you wrote:
Thanks Alan.
Are there any alternative ways to implement it without redundancy so that I can
compare and see what can be re moved? How do you suggest I implement it?
Thanks& Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:[email protected]]
Sent: Wednesday, May 23, 2012 8:55 PM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
The use of server_port and server_other_ports is deprecated. You should use server_ports
only, with "8080:tr-full". However the change was made so that those options should
still work, although they will be removed in a future release. You should not under any
circumstances use both server_port&server_other_ports and server_ports, that can cause
port conflicts.
You are marking packets and using routing table 100. Do you define rules for
table 100? Also, it looks like your divert chain marks packets the same way as
your --dport rule. But if it works, then it's correct.
Wednesday, May 23, 2012, 8:18:24 AM, you wrote:
Finally resolved it this way: It got configured on tproxy mode
****************************************************************************************************************************************
This footnote confirms that this email message has been scanned by PSN Anti-Spam
system for presence of malicious code, vandals& computer viruses.
****************************************************************************************************************************************
