I am having an issue with transparent proxying when I am routing port
80 traffic at my LAN router. If I just route a target web server's
host/network to my ATS proxy, things work as expected.
#BROKEN CONFIGURATION
# RULES DEFINED AT LINUX LAN ROUTER
iptables -t mangle -i eth0 -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
ip rule add fwmark 3 table 2
ip route add default via 10.1.10.2 dev eth1 table 2
# RULES DEFINED AT ATS HOST
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 3
ip rule add fwmark 3 table 1
ip route add local 0.0.0.0/0 dev lo table 1
When I run tcpdump on the LAN Router, I see the syn-ack in the form of
the origin's IP address being returned by the ATS server. This is
expected.
However, the syn-ack doesnt make it beyond eth1 of the LAN router.
Packet gets dropped.. Maybe the marking set at the ATS server is
causing the LAN router to drop the packet.
#WORKING CONFIGURATION
# RULES DEFINED AT LINUX LAN ROUTER
i
ip route add 172.16.20.0/24 via 10.1.10.2
# RULES DEFINED AT ATS HOST
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 3
ip rule add fwmark 3 table 1
ip route add local 0.0.0.0/0 dev lo table 1
This configuration works.. But this means, if I have other traffic
types destined for this routed host/network the ATS host will have to
just
pass it along. This isnt ideal. I just want port 80 traffic routed to
the ATS host.
Please advise.
Thanks!
|