*Hi Alan,*
The output is as follows:
[root@ATS ~]# ip route show table 100
local default dev lo scope host
*IPtables rules showing increasing packet counts:*
# Generated by iptables-save v1.4.7 on Tue Jan 26 11:09:34 2016
*mangle
:PREROUTING ACCEPT[1601:195856]
:INPUT ACCEPT [1853:208672]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1588:275561]
:POSTROUTING ACCEPT [1588:275561]
:DIVERT - [0:0]
[1853:208672] -A PREROUTING -j LOG --log-prefix " Towards_ATS "
--log-level 7
[252:12816] -A PREROUTING -i em2 -p tcp -m tcp --dport 80 -j TPROXY
--on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
[712:36656] -A PREROUTING -i em1 -p tcp -m tcp --sport 80 -j MARK
--set-xmark 0x1/0x1
COMMIT
# Completed on Tue Jan 26 11:09:34 2016
[root@wc01 ~]# iptables-save -c
# Generated by iptables-save v1.4.7 on Tue Jan 26 11:09:35 2016
*mangle
:PREROUTING ACCEPT [1618:196819]
:INPUT ACCEPT[1873:209787]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1604:277388]
:POSTROUTING ACCEPT [1604:277388]
:DIVERT - [0:0]
[1873:209787] -A PREROUTING -j LOG --log-prefix " Towards_ATS "
--log-level 7
[255:12968] -A PREROUTING -i em2 -p tcp -m tcp --dport 80 -j TPROXY
--on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
[722:37168] -A PREROUTING -i em1 -p tcp -m tcp --sport 80 -j MARK
--set-xmark 0x1/0x1
COMMIT
# Completed on Tue Jan 26 11:09:35 2016
On 1/26/2016 12:06 AM, Alan Carroll wrote:
Two recommendations:
What is the output of
ip route show table 100
Also you should look at the iptable rule counts to see if those rules
are being hit at all.
On Monday, January 25, 2016 12:50 PM, Muhammad Faisal
<[email protected]> wrote:
*Update:*
When i flush ebtables the http browsing starts via bridge. But when i
put the below rules browsing stops:
ebtables -t broute -A BROUTING -i em2 -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i em1 -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP
I ties logging both rules can see packets are being processed but
iptables rules logs are empty. Any clue i have upgraded the kernel to
4.4 even still same situation.
Thanks
On 1/25/2016 11:12 PM, Muhammad Faisal wrote:
*Hi Alan,*
Thanks for your response. I went through your presentation (youtube
video + Slides) indeed before starting configuration. It enhanced my
understanding of ATS. However i found another straight forward step by
step process at this location which i followed:
http://apache-traffic-server.24303.n7.nabble.com/attachment/1638/0/ATS%20on%20Centos.txt
When i remove ebtables rules the http browsing starts. Any suggestions?
The output of traffic.out has nothing special seems no traffic is
processed by ATS (using latest stable release 6.0). Please see below
*traffic.out *
raffic_server: using root directory '/usr/local'
/usr/local/bin/trafficserver restart
[traffic_server: Terminated (Signal sent by kill() 4771
0)TrafficManager] ==> Cleaning up and reissuing signal #15
[E. Mgmt] log ==> [TrafficManager] using root directory '/usr/local'
traffic_server: using root directory '/usr/local'
*/etc/sysctl.conf*
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.br0.rp_filter = 0
*IPTABLES Rules in your apachecon ppt:*
iptables -t mangle -A PREROUTING -i em2 -p tcp -m tcp --dport 80 -j TPROXY
--on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 0x1/0x1
iptables -t mangle -A PREROUTING -i em1 -p tcp -m tcp --sport 80 -j MARK
--set-mark 0x1/0x1
*This is what i have applied on the server:*
============================================
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j LOG --log-prefix ' Towards_ATS '
--log-level 7
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 8080
===========================================
On 1/25/2016 8:55 PM, Alan Carroll wrote:
You configuration to enable debugging is correct but there is no point in
adding it to traffic_logstat, it will have no effect. The debug output should
be placed in the var/log/trafficserver/traffic.out file.
I need to check my notes (it's been a while since I worked with this) but I
think you iptables rules should be interface dependent (as with ebtables) to
allow packets to escape after going through ATS. I also don't recall using
divert.
Did you set the /etc/sysctl.conf value?
You might find this interesting -
https://www.dropbox.com/sh/h7erczfbt8ug8kn/cMyk4ukVSg?m - it's a presentation
on transparent proxy.
