Hi all, I have attached the procedure I have used to install ATS as a transparent proxy on a linux bridge using Centos.
I expect there is a better way to do it, but I have sent this in the hope that is can assist someone or at least be a starting point for some documentation for others to use. I will be doing a similar one for use with Ubuntu but would welcome any comments on it. -- Kieron Robertson Man and Machine Mail: [email protected] Cell: 083 309 3538
Scenario: Firewall:10.0.0.1 <--> eth0:[ATS TPROXY Bridge(br0=10.0.0.200)]:eth1 <--> clients:10.0.0.x/24 Hardware used for test setup: Atom D2700 (Dual core, 2.13GHz, x64 capable) 4GB RAM 160 GB SATA Drive 2 x Broadcom 57788 PCIe 1GB NIC Install Centos (I used 6.4 x64) and choose "Basic Server" on install options. Once it completes, update the distribution using yum update. Check dependencies as mentioned on https://cwiki.apache.org/confluence/display/TS/CentOS The following packages should be installed: yum install gcc gcc-c++ pkgconfig pcre-devel tcl-devel expat-devel openssl-devel On CentOS6, you also need yum install perl-ExtUtils-MakeMaker It's also recommended that the following packages are installed, but they are not required (and they come pre-installed on many systems): yum install libcap libcap-devel hwloc hwloc-devel For building out of source, you also need: yum install autoconf automake libtool I recommend installing all of them to cover all test scenarios. Disable system-config-firewall system-config-firewall-tui Uncheck Enabled => OK Disable SELinux # nano /etc/selinux/config and set SELINUX=enforcing to SELINUX=disabled Disable Zeroconf # nano /etc/sysconfig/network and add the following: NOZEROCONF=true reboot. I. Configure Network interfaces # yum install bridge-utils -Make bridge interface br0 # nano /etc/sysconfig/network-scripts/ifcfg-br0 DEVICE=br0 ONBOOT=yes TYPE=Bridge BOOTPROTO=static IPADDR=10.0.0.200 NETMASK=255.255.255.0 GATEWAY=10.0.0.1 DNS1=10.0.0.1 DNS2=8.8.8.8 DNS3=8.8.4.4 Save and exit (ctrl o and then ctrl x) -Setting interface eth0 with no IP # nano /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=none HWADDR=A2:AC:86:64:4C:D4 #note that this will unique to your adapter and should already be inserted automatically NM_CONTROLLED=yes ONBOOT=yes TYPE=Ethernet UUID=cbe96c60-5467-4982-b884-b4aca07a995f #note that this will unique to your adapter and should already be inserted automatically BRIDGE=br0 Save and exit (ctrl o and then ctrl x) -Setting interface eth1 with no IP # nano /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=none HWADDR=B6:49:8A:62:AD:92 #note that this will unique to your adapter and should already be inserted automatically NM_CONTROLLED=yes ONBOOT=yes TYPE=Ethernet UUID=320472d8-755e-4192-b520-da6bc7e8ebb1 #note that this will unique to your adapter and should already be inserted automatically BRIDGE=br0 Save and exit (ctrl o and then ctrl x) -Setting IP DNS: # nano /etc/resolv.conf nameserver 10.0.0.1 nameserver 8.8.8.8 Save and exit (ctrl o and then ctrl x) -Setting /etc/hosts # nano /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.0.0200 cache.local cache Save and exit (ctrl o and then ctrl x) -Restart Network # service network restart Plug the device inline and make sure you can browse and ping through the bridge before continuing. If you can't get traffic through it right now, ATS is not going to work!! III. Routing Configuration The routing features in your kernel also need to be configured to enable correct handling of the intercepted packets. Both arriving and leaving your system. -Routing Configuration if IPv4-only # ip -f inet rule add fwmark 1 lookup 100 # ip -f inet route add local default dev lo table 100 -Routing Configuration if IPv6-only # ip -f inet6 rule add fwmark 1 lookup 100 # ip -f inet6 route add local default dev eth0 table 100 -Put into rc.local so the above scripts run at boot - only add ipv4 or ipv6 - I haven't tested with ipv6 or both as I only have ipv4. IPV4 # nano /etc/rc.d/rc.local ip -f inet rule add fwmark 1 lookup 100 ip -f inet route add local default dev lo table 100 IPV6 ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local default dev eth0 table 100 Save and exit (ctrl o and then ctrl x) Note: Every OS has different security and limitations around what you can do here. -some systems require that lo is the interface TPROXY uses. -some systems require that an ethN is the interface TPROXY uses. -some systems require that each receiving interface have its own unique table. -Some OS block multiple interfaces being linked to the table. You will see a rejected route when a second ip -f inet route is added to the table. To erase the custom route entry repeat the rule with del instead of add. Add/Edit the following in /etc/sysctl.conf: # nano /etc/sysctl.conf net.ipv4.ip_forward = 1 # already present, just change to 1 net.ipv4.conf.default.rp_filter = 0 # already present just change to 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.eth1.rp_filter = 0 net.ipv4.conf.br0.rp_filter = 0 Save and exit (ctrl o and then ctrl x) -Iptables routing for br0 device - enter each one on the command line and press enter after each one: #iptables -t mangle -N DIVERT #iptables -t mangle -A DIVERT -j MARK --set-mark 1 #iptables -t mangle -A DIVERT -j ACCEPT #iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT #iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8080 -Save iptables command,restart service & make service run at boot service iptables save service iptables restart chkconfig iptables on -Install ebtables yum install ebtables -Setup ebtables ipv4 on a Bridging device - enter each one on the command line and press enter after each one: #ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP #ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP Setup ebtables ipv6 on a Bridging device - enter each one on the command line and press enter after each one: #ebtables -t broute -A BROUTING -i eth1 -p ipv6 --ip6-proto tcp --ip6-dport 80 -j redirect --redirect-target DROP #ebtables -t broute -A BROUTING -i eth0 -p ipv6 --ip6-proto tcp --ip6-sport 80 -j redirect --redirect-target DROP -Save ebtables commands,restart service & make service run at boot: service ebtables save service ebtables restart chkconfig ebtables on reboot. run the commands as shown below and you should see the outputs to match your system: [root@ats ~]# iptables-save # Generated by iptables-save v1.4.7 on Tue May 6 10:47:25 2014 *mangle :PREROUTING ACCEPT [36:5086] :INPUT ACCEPT [79:10318] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [44:6569] :POSTROUTING ACCEPT [44:6569] :DIVERT - [0:0] -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A DIVERT -j MARK --set-xmark 0x1/0xffffffff -A DIVERT -j ACCEPT COMMIT # Completed on Tue May 6 10:47:25 2014 [root@ats ~]# ebtables-save # Generated by ebtables-save v1.0 on Tue May 6 10:48:05 SAST 2014 *broute :BROUTING ACCEPT -A BROUTING -p IPv4 -i eth1 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP -A BROUTING -p IPv4 -i eth0 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP [root@ats ~]# ip route show 10.0.0.0/24 dev br0 proto kernel scope link src 10.0.0.150 default via 10.0.0.1 dev br0 [root@ats ~]# ip route show table 100 local default dev lo scope host [root@ats ~]# ip rule show 0: from all lookup local 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default Now all the plumbing is installed, lets install ATS! Download Apache Traffic Server: # wget http://mirror.reverse.net/pub/apache/trafficserver/trafficserver-4.2.1.tar.bz2 5. Extract the source # tar xf trafficserver-4.2.1.tar.bz2 6. cd to the directory # cd trafficserver-4.2.1 7. Start the install process: # ./configure 8. run make # make 9. Install the package # sudo make install edit the records.config file in /usr/local/etc/trafficserver and set the following options before running ATS: # nano /usr/local/etc/trafficserver/records.config Find the following lines and change them to the values below: CONFIG proxy.config.http.server_ports STRING 8080:ipv4:tr-full CONFIG proxy.config.cluster.ethernet_interface STRING br0 CONFIG proxy.config.reverse_proxy.enabled INT 0 CONFIG proxy.config.url_remap.remap_required INT 0 Save and exit. Change the default cache size by editing the following: # nano /usr/local/etc/trafficserver/storage.config and change the default 256M cache to whatever size you choose. Traffic Server is now installed and can be started/stopped with the following commands: /usr/local/bin/trafficserver start /usr/local/bin/trafficserver stop Refer to the following site for further setup and tweaking: https://cwiki.apache.org/confluence/display/TS/Installation+and+Configuration References: http://www.toyaseta.com/squid-tproxy-bridge-centos-6-3.html various ATS docs on the web
