IMQ conflict with TPROXY
oknet opened this issue · comments
The TPROXY does not work if I put an IMQ rule before the TPROXY rules.
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j IMQ --todev 0
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-xmark 0x1/0x1
What is the kernel version & OS ?
Can you describe what you want to accomplish?
Hi, MihaiC
I'm set up a full transparent http proxy (Apache Trafficserver) and listen
on a bridge device (br0: eth0, eth1).
eth0 is connected with intranet.
eth1 is connected with internet.
My iptables rules for TPROXY are below:
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY
--on-port 8081 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK
--set-xmark 0x1/0x1
The IMQ is used to work with TC for rate shaping, and the iptables rules
are below:
iptables -t mangle -A PREROUTING -i eth0 -s 172.16.0.0/12 -j IMQ --todev 0
iptables -t mangle -A PREROUTING -o eth0 -d 172.16.0.0/12 -j IMQ --todev 1
iptables -t mangle -A PREROUTING -i eth1 -d 172.16.0.0/12 -j IMQ --todev 2
iptables -t mangle -A PREROUTING -o eth1 -s 172.16.0.0/12 -j IMQ --todev 3
imq0 is used to rate shaping the incoming data from client
imq1 is used to rate shaping the outgoing data to client
imq2 is used to rate shaping the incoming data from internet server
imq3 is used to rate shaping the outgoing data to internet server
Because the TPROXY is a terminating target, the finial iptables rule are:
iptables -t mangle -A PREROUTING -i eth0 -s 172.16.0.0/12 -j IMQ --todev 0
iptables -t mangle -A PREROUTING -o eth0 -d 172.16.0.0/12 -j IMQ --todev 1
iptables -t mangle -A PREROUTING -i eth1 -d 172.16.0.0/12 -j IMQ --todev 2
iptables -t mangle -A PREROUTING -o eth1 -s 172.16.0.0/12 -j IMQ --todev 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY
--on-port 8081 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK
--set-xmark 0x1/0x1
Then I found the rate shaping on imq0 is not work. Are they conflicted ?
The base kernel is Debian 3.2.68-1+deb7u3 x86_64 GNU/Linux.
Thanks.
Oknet Xu.
2017-11-29 18:49 GMT+08:00 MihaiC <notifications@github.com>:
… What is the kernel version & OS ?
Can you describe what you want to accomplish?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#65 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AE_9sYyDSJSI-92527mDi61d779NdTyxks5s7TbKgaJpZM4QS86O>
.
You are trying to set up IMQ+TPROXY on the same box as the proxy ATS ?
yes, full transparent proxy.
https://docs.trafficserver.apache.org/en/5.3.x/admin/transparent-proxy.en.html
- Oknet Xu
2017-12-05 22:33 GMT+08:00 MihaiC <notifications@github.com>:
… You are trying to set up IMQ on the same box as the proxy ATS ?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#65 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AE_9sXbxzjKpWWxdLnQ6-6Vsvr7W7g0Nks5s9VRJgaJpZM4QS86O>
.
Maybe you could try like this
iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0
iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 1
iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 2
iptables -t mangle -A POSTOUTING -o eth1 -j IMQ --todev 3
and post some output of the rules (verbose) to see if packets are going to imq.
Hi MihaiC,
Thanks for your opinion, i tried but it still doesn't work, i guess there maybe some conflict between IMQ and TPROXY in their kernel implementation which we don't know before, because nobody use them this way like us before ...
JZ.