R: Transparent proxy

From: Carlo Granisso <c.granisso#dnshosting.it>
Date: Tue, 12 May 2009 18:04:32 +0200


Well... Now I have new situation:

On haproxy box I've put those directives:

iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s haproxy-public-ip
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80 ip rule add fwmark 3 table 2
ip route add default via haproxy-private-ip dev eth1 table 2

On webserver:

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 80
route add 0.0.0.0 gw 192.168.0.56

When I try to get website from browser...:

tcp 0 0 192.168.0.133:80 haproxy_public:42758 SYN_RECV -
tcp 0 0 192.168.0.133:80 haproxy_public:43200 SYN_RECV - Have you got ideas?
I know that there's only iptables routing problem (wrong rules on haproxy box and webserver)... But I can't find it... :-(

Thanks,

Carlo

-----Messaggio originale-----
Da: Carlo Granisso [mailto:c.granisso#dnshosting.it] Inviato: marted́ 12 maggio 2009 10.21
A: 'John Lauro'
Cc: haproxy#formilux.org
Oggetto: R: Transparent proxy  

-----Messaggio originale-----
Da: John Lauro [mailto:john.lauro#covenanteyes.com] Inviato: luned́ 11 maggio 2009 18.30
A: 'Carlo Granisso'; haproxy#formilux.org Oggetto: RE: Transparent proxy

>>
>> And no request were found into webserver (netstat -ntap | grep :80)
>>
>> After few seconds: "503 Service Unavailable No server is available to
>> handle this request. "
>>

> Can you ping your webserver from the haproxy box ok?

Yes

> What does the following show from your webserver:
> netstat -rn
> Does it show the private IP address of your haproxy box as the gateway 
> for 0.0.0.0?

Here's the output:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.0.56 255.255.255.255 UGH 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

On my haproxy box I've lot of connecctions in "TIME_WAIT" state from haproxy to webservers.
When I try to get default page from browser no connections were made on webserver (haproxy open only one tcp connection in "SYN_SENT" state).

Thanks for your patience.

Carlo

No virus found in this incoming message. Checked by AVG - www.avg.com
Version: 8.5.325 / Virus Database: 270.12.24/2107 - Release Date: 05/10/09 07:02:00

No virus found in this incoming message. Checked by AVG - www.avg.com
Version: 8.5.325 / Virus Database: 270.12.24/2107 - Release Date: 05/11/09 16:14:00 Received on 2009/05/12 18:04

This archive was generated by hypermail 2.2.0 : 2009/05/12 18:15 CEST