Re: transparent proxy not work, using traffic-redirect function of layer 3 switch

Fri, 20 Nov 2015 00:44:34 -0800 

I want to correct a previous mistake, Wireshark can get http SYN packets
and retransmission on ethernet enp14s0, but no SYN ACK packets.

2015-11-19 15:12 GMT+08:00 Wayne Zhang <[email protected]>:

> hi all,
>
> the ATS version is 6.0.0.
> the layer 3 switch is a Huawei S3928TP-SI brand.
>
> the topology is :
>       client PC to port 1,
>       ATS server to  port 2,
>       router to port 3.
>
> here are the main steps of configuring switch:
>
> #define acl 3001 to intercept 80 port traffic to internet
> acl number 3001
> description client traffic to ATS server
> rule 0 permit TCP destination-port eq www
>
> #define acl 3011 to intercept 80 port traffic from internet
> acl number 3011
> description internet traffic to ATS server
> rule 0 permit TCP source-port eq www
>
> #apply acl 3001 at ethernet port 1, redirect traffic to internet to port 2
> interface Ethernet 1/0/1
> traffic-redirect inbound ip-group 3001 interface Ethernet 1/0/2
>
> #apply acl 3011 at ethernet port 3, redirect the traffic from internet to
> port 2
> interface Ethernet 1/0/3
> traffic-redirect inbound ip-group 3011 interface Ethernet 1/0/2
>
>
> the related config values in record.config:
>
> proxy.config.reverse_proxy.enabled INT 1
> proxy.config.url_remap.remap_required INT 0
> proxy.config.http.server_ports STRING 8080:ipv4:tr-full
>
> my script for setting up before ATS server start:
>
>
> #!/bin/sh
> ETH0=enp14s0
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 0 > /proc/sys/net/ipv4/conf/$ETH0/rp_filter
>
> ip rule delete fwmark 1/1 > /dev/null 2>&1
> ip rule add fwmark 1/1 table 1
> ip route add local 0/0 dev lo table 1
>
> iptables -t mangle --flush PREROUTING
> iptables -t mangle -A PREROUTING -i $ETH0 -p tcp -m tcp --dport 80 -j
> TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> iptables -t mangle -A PREROUTING -i $ETH0 -p tcp -m tcp --sport 80 -j MARK
> --set-mark 1/1
>
> iptables -t filter --flush FORWARD
> iptables -t filter --flush INPUT
>
> the result:
>      visiting websites at client browser get timeout, means that traffic
> intercepting at switch works.
>      the 3 processes  traffic_cop, traffic_manager and traffic_server can
> be seen using "ps aux" on the ATS server.
>      there is no access log print using "traffic_logcat squid.log"
>      no http packets on ethernet enp14so or loop back can be grabbed using
> wireshark.
>
> any debug advices ?
> thanks in advance.
>
>
>
>
>
>

Reply via email to