Hi Dk, If I recall correctly, when using brouting the IP stack sees the bridge as the incoming interface. Try removing -i enp2s0 in your TPROXY rule to see if it helps (or use -i br0). You can also get packet counters with iptables (-v) to validate that packets hit your TPROXY rule. Regards, Gregory On Tue, Jul 9, 2019 at 4:22 AM Dk Jack <dnj0496@xxxxxxxxx> wrote: > > Hi, > I am trying to get my application to work transparent proxy mode i.e > in inline Linux bridge > mode. I've configured my Linux system as shown later in the end of the > email. I've turned > off rp_filters and enabled ip forwarding as suggested. I am following > these instructions for Apache Traffic server. > > https://docs.trafficserver.apache.org/en/6.2.x/admin-guide/configuration/transparent-proxy/bridge.en.html > > The traffic seem to be coming into my bridged system and getting > forwarded up the stack as per the configuration. However, my > application is not receiving the traffic. Enabling tracing for > port 80 shows the logs at the end of the email. > > Is my configuration correct? If so, why is my redirect rule that > modifies the dest. port from > 80 to 8080 not changing the port. Since my application is listening on > 8080, could this be the > reason my application is not seeing the traffic. If not, what else can > I look at to debug this > issue? Are there any other counters I can look at (or traces that I > can enable) to determing > where the packets are getting lost? > > Thanks for the help in advance. > > regards, > Dk. > > OS: Centos 7.5 > Kernel Version: 3.10 > > PS: My config. > > ----------------------------- Config -------------------------------- > > echo 1 > /proc/sys/net/ipv4/ip_forward > brctl addbr br0 > ifconfig br0 up > brctl stp br0 off > brctl addif br0 enp2s0 > brctl addif br0 enp1s0f3 > ifconfig enp2s0 0 0.0.0.0 > ifconfig enp1s0f3 0 0.0.0.0 > ifconfig br0 192.168.150.150 netmask 255.255.255.0 up > echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter > echo 0 > /proc/sys/net/ipv4/conf/enp1s0f3/rp_filter > echo 0 > /proc/sys/net/ipv4/conf/enp2s0/rp_filter > ip rule delete fwmark 1/1 > /dev/null 2>&1 > ip rule add fwmark 1/1 table 1 > ip route add local 0/0 dev lo table 1 > iptables -t mangle -A PREROUTING -i enp2s0 -p tcp -m tcp --dport 80 -j > TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1 > iptables -t mangle -A PREROUTING -i enp1s0f3 -p tcp -m tcp --sport 80 > -j MARK --set-mark 1/1 > iptables -t filter --flush FORWARD > iptables -t filter --flush INPUT > ebtables -t broute -F > ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j > redirect --redirect-target DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 > -j redirect --redirect-target DROP > > ------------------------- TRACES ---------------------------------- > > Jul 8 15:57:26 localhost kernel: TRACE: raw:PREROUTING:policy:2 > IN=enp2s0 OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 > SRC=192.168.10.200 DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=43187 DF PROTO=TCP SPT=35294 DPT=80 SEQ=2080332442 ACK=0 > WINDOW=29200 RES=0x00 SYN URGP=0 OPT > (020405B40402080A3771F2290000000001030307) > Jul 8 15:57:26 localhost kernel: TRACE: mangle:PREROUTING:rule:1 > IN=enp2s0 OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 > SRC=192.168.10.200 DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=43187 DF PROTO=TCP SPT=35294 DPT=80 SEQ=2080332442 ACK=0 > WINDOW=29200 RES=0x00 SYN URGP=0 OPT > (020405B40402080A3771F2290000000001030307) > Jul 8 15:57:26 localhost kernel: TRACE: nat:PREROUTING:policy:1 > IN=enp2s0 OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 > SRC=192.168.10.200 DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=43187 DF PROTO=TCP SPT=35294 DPT=80 SEQ=2080332442 ACK=0 > WINDOW=29200 RES=0x00 SYN URGP=0 OPT > (020405B40402080A3771F2290000000001030307) UID=1001 GID=1001 MARK=0x1 > Jul 8 15:57:26 localhost kernel: TRACE: mangle:INPUT:policy:1 > IN=enp2s0 OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 > SRC=192.168.10.200 DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=43187 DF PROTO=TCP SPT=35294 DPT=80 SEQ=2080332442 ACK=0 > WINDOW=29200 RES=0x00 SYN URGP=0 OPT > (020405B40402080A3771F2290000000001030307) UID=1001 GID=1001 MARK=0x1 > Jul 8 15:57:26 localhost kernel: TRACE: filter:INPUT:policy:1 > IN=enp2s0 OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 > SRC=192.168.10.200 DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=43187 DF PROTO=TCP SPT=35294 DPT=80 SEQ=2080332442 ACK=0 > WINDOW=29200 RES=0x00 SYN URGP=0 OPT > (020405B40402080A3771F2290000000001030307) UID=1001 GID=1001 MARK=0x1 > Jul 8 15:57:26 localhost kernel: TRACE: nat:INPUT:policy:1 IN=enp2s0 > OUT= MAC=00:30:18:08:06:e8:0c:c4:7a:b5:be:eb:08:00 SRC=192.168.10.200 > DST=192.168.10.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43187 DF > PROTO=TCP SPT=35294 DPT=80 SEQ=2080332442 ACK=0 WINDOW=29200 RES=0x00 > SYN URGP=0 OPT (020405B40402080A3771F2290000000001030307) UID=1001 > GID=1001 MARK=0x1 -- Gregory Vander Schueren | R&D Engineer gregory.vanderschueren@xxxxxxxxxxxx | Tessares SA | Hybrid Access Solutions www.tessares.net 1 Avenue Jean Monnet, 1348 Louvain-la-Neuve, Belgium -- Disclaimer: https://www.tessares.net/mail-disclaimer/ <https://www.tessares.net/mail-disclaimer/>
