Re: cttproxy

From: Willy Tarreau <w#1wt.eu>
Date: Thu, 18 Oct 2007 15:25:44 +0200


Hi Tim,

On Wed, Oct 17, 2007 at 04:30:34PM +0100, Tim O'Donovan wrote:
> Hi,
>
> I'm trying to put together a configuration to load balance a cluster of
> SMTP servers. As these servers run rbl checks on the incoming address, I
> need to configure haproxy as a transparent proxy using cttproxy.
>
> I have patched a 2.6.17 kernel and iptables 1.3.5 and have them setup on
> a local machine. But I'm struggling to get cttproxy working with
> haproxy, and was wondering whether someone could point me in the right
> direction.
>
> I have another machine with an MTA listening on 192.168.0.200, and the
> haproxy machine running on 192.168.1.10.
>
> Here's the listen section from the config file:
>
>
> listen smtp_proxy 192.168.1.10:25
> mode tcp
> balance roundrobin
> server smtp1 192.168.0.200:25 source 192.168.1.10 usesrc clientip
>
>
> I have a third machine running on 192.168.0.4 to run the tests. Running
> haproxy in debugging mode, I can see that the IP_TPROXY setsockopt
> request is successful, but the connection is not forwarded onto the MTA
> on 192.168.0.200 and eventually times out after a few tries.
>
> At least the strace output leads me to believe it was successful:
>
> > setsockopt(7, SOL_IP, 0x2c0a /* IP_??? */, "\1\0\0\0\300\250\0\4\0\0\0\0", 12) = 0
> > setsockopt(7, SOL_IP, 0x2c0a /* IP_??? */, "\4\0\0\0\1\0\1\0z\352\5\10", 12) = 0
>
> Can anyone see anything obviously wrong with the configuration?

I have never tried cttproxy on linux 2.6 yet. But here is how I start it on linux 2.4 :

# modprobe ip_conntrack hashsize=65536
# modprobe iptable_tproxy hashsize=65536
# echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait 
# echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait 

Are you sure you have correctly loaded the iptable_tproxy module ? I believe that if it was not loaded, it would cause the problem you describe (although I'm not sure, I'm not using this feature everyday).

Also, you say that your test client is on 192.168.0.4 and your MTA on 192.168.0.200. If haproxy takes the IP from your client to connect to the MTA, it will connect to it with a source 192.168.0.4. Most likely, your MTA will respond with a SYN/ACK to its local network and will never go back to your haproxy. If this is the problem, you have two solutions :

  1. use a client from a different network and add a default route from your MTA to haproxy. In this case, you'll also need to enable IP forwarding on your haproxy machine so that your SMTP servers can access the rest of the world.
  2. add a static host route from your MTA to your client through haproxy during your tests.

Regards,
Willy Received on 2007/10/18 15:25

This archive was generated by hypermail 2.2.0 : 2007/11/04 19:21 CET