So you see the SYN from the client hit the ATS server? But the ATS machine doesnt respond with the SYN-ACK ?
As a start and on the ATS machine can you try listening on all interfaces? tcpdump -ni any port 80 or port 8080 On Fri, Nov 20, 2015 at 2:43 AM, Wayne Zhang <[email protected]> wrote: > I want to correct a previous mistake, Wireshark can get http SYN packets > and retransmission on ethernet enp14s0, but no SYN ACK packets. > > 2015-11-19 15:12 GMT+08:00 Wayne Zhang <[email protected]>: > >> hi all, >> >> the ATS version is 6.0.0. >> the layer 3 switch is a Huawei S3928TP-SI brand. >> >> the topology is : >> client PC to port 1, >> ATS server to port 2, >> router to port 3. >> >> here are the main steps of configuring switch: >> >> #define acl 3001 to intercept 80 port traffic to internet >> acl number 3001 >> description client traffic to ATS server >> rule 0 permit TCP destination-port eq www >> >> #define acl 3011 to intercept 80 port traffic from internet >> acl number 3011 >> description internet traffic to ATS server >> rule 0 permit TCP source-port eq www >> >> #apply acl 3001 at ethernet port 1, redirect traffic to internet to port 2 >> interface Ethernet 1/0/1 >> traffic-redirect inbound ip-group 3001 interface Ethernet 1/0/2 >> >> #apply acl 3011 at ethernet port 3, redirect the traffic from internet to >> port 2 >> interface Ethernet 1/0/3 >> traffic-redirect inbound ip-group 3011 interface Ethernet 1/0/2 >> >> >> the related config values in record.config: >> >> proxy.config.reverse_proxy.enabled INT 1 >> proxy.config.url_remap.remap_required INT 0 >> proxy.config.http.server_ports STRING 8080:ipv4:tr-full >> >> my script for setting up before ATS server start: >> >> >> #!/bin/sh >> ETH0=enp14s0 >> >> echo 1 > /proc/sys/net/ipv4/ip_forward >> echo 0 > /proc/sys/net/ipv4/conf/$ETH0/rp_filter >> >> ip rule delete fwmark 1/1 > /dev/null 2>&1 >> ip rule add fwmark 1/1 table 1 >> ip route add local 0/0 dev lo table 1 >> >> iptables -t mangle --flush PREROUTING >> iptables -t mangle -A PREROUTING -i $ETH0 -p tcp -m tcp --dport 80 -j >> TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1 >> iptables -t mangle -A PREROUTING -i $ETH0 -p tcp -m tcp --sport 80 -j >> MARK --set-mark 1/1 >> >> iptables -t filter --flush FORWARD >> iptables -t filter --flush INPUT >> >> the result: >> visiting websites at client browser get timeout, means that traffic >> intercepting at switch works. >> the 3 processes traffic_cop, traffic_manager and traffic_server can >> be seen using "ps aux" on the ATS server. >> there is no access log print using "traffic_logcat squid.log" >> no http packets on ethernet enp14so or loop back can be grabbed >> using wireshark. >> >> any debug advices ? >> thanks in advance. >> >> >> >> >> >> >
