imq
commented
6 years ago What is the kernel version & OS ? Can you describe what you want to accomplish?
Closed oknet closed 6 years ago
imq
commented
6 years ago What is the kernel version & OS ? Can you describe what you want to accomplish?
oknet
commented
6 years ago Hi, MihaiC
I'm set up a full transparent http proxy (Apache Trafficserver) and listen on a bridge device (br0: eth0, eth1).
eth0 is connected with intranet. eth1 is connected with internet.
My iptables rules for TPROXY are below:
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 8081 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-xmark 0x1/0x1
The IMQ is used to work with TC for rate shaping, and the iptables rules are below:
iptables -t mangle -A PREROUTING -i eth0 -s 172.16.0.0/12 -j IMQ --todev 0 iptables -t mangle -A PREROUTING -o eth0 -d 172.16.0.0/12 -j IMQ --todev 1 iptables -t mangle -A PREROUTING -i eth1 -d 172.16.0.0/12 -j IMQ --todev 2 iptables -t mangle -A PREROUTING -o eth1 -s 172.16.0.0/12 -j IMQ --todev 3
imq0 is used to rate shaping the incoming data from client imq1 is used to rate shaping the outgoing data to client imq2 is used to rate shaping the incoming data from internet server imq3 is used to rate shaping the outgoing data to internet server
Because the TPROXY is a terminating target, the finial iptables rule are:
iptables -t mangle -A PREROUTING -i eth0 -s 172.16.0.0/12 -j IMQ --todev 0 iptables -t mangle -A PREROUTING -o eth0 -d 172.16.0.0/12 -j IMQ --todev 1 iptables -t mangle -A PREROUTING -i eth1 -d 172.16.0.0/12 -j IMQ --todev 2 iptables -t mangle -A PREROUTING -o eth1 -s 172.16.0.0/12 -j IMQ --todev 3 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 8081 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-xmark 0x1/0x1
Then I found the rate shaping on imq0 is not work. Are they conflicted ?
The base kernel is Debian 3.2.68-1+deb7u3 x86_64 GNU/Linux.
Thanks.
Oknet Xu.
2017-11-29 18:49 GMT+08:00 MihaiC notifications@github.com:
What is the kernel version & OS ? Can you describe what you want to accomplish?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/imq/linuximq/issues/65#issuecomment-347823350, or mute the thread https://github.com/notifications/unsubscribe-auth/AE_9sYyDSJSI-92527mDi61d779NdTyxks5s7TbKgaJpZM4QS86O .
imq
commented
6 years ago You are trying to set up IMQ+TPROXY on the same box as the proxy ATS ?
oknet
commented
6 years ago yes, full transparent proxy.
https://docs.trafficserver.apache.org/en/5.3.x/admin/transparent-proxy.en.html
2017-12-05 22:33 GMT+08:00 MihaiC notifications@github.com:
You are trying to set up IMQ on the same box as the proxy ATS ?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/imq/linuximq/issues/65#issuecomment-349321566, or mute the thread https://github.com/notifications/unsubscribe-auth/AE_9sXbxzjKpWWxdLnQ6-6Vsvr7W7g0Nks5s9VRJgaJpZM4QS86O .
imq
commented
6 years ago Maybe you could try like this
iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0
iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 1
iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 2
iptables -t mangle -A POSTOUTING -o eth1 -j IMQ --todev 3
and post some output of the rules (verbose) to see if packets are going to imq.
visionjianzhaowang
commented
6 years ago Hi MihaiC,
Thanks for your opinion, i tried but it still doesn't work, i guess there maybe some conflict between IMQ and TPROXY in their kernel implementation which we don't know before, because nobody use them this way like us before ...JZ.
The TPROXY does not work if I put an IMQ rule before the TPROXY rules.