Thanks for reply.. but no luck.. this is very frustrating .. im
starting to thinking is something with mikrotik
anyone knows how i look where syn/ack is getting dropped? i can i see
is that syn/ack arrives from server but cannot reach client in the
mikotik router..
if you have a Thread you better stick to it.
my tproxy setup on ubunutu 11.10 amd64
i'm using one script to start the tproxy services on this machine.
i have seen things about the ebtables should be on DROP but the only
way i could make it work was to accept the connections with EBTABLES.
as i remember you might need to add a "ACCEPT" rules before the "DROP"
ones in the ebtables.
this script is from couple of month ago but it worked perfectly.
hope it will help you.
#!/bin/sh -x
#turning iptables modules on
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe xt_mark
modprobe xt_socket
modprobe nf_tproxy_core
modprobe xt_TPROXY
modprobe xt_tcpudp
modprobe nf_conntrack
modprobe nf_conntrack_ipv4
#building bridge
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
pkill dhc
ifconfig eth0 up
ifconfig eth1 up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 192.168.10.119
#adding route for bridge
route add default gw 192.168.10.201
#
echo "nameserver 192.168.10.201">/etc/resolv.conf
#tproxy settings
ip route flush table 100
ip rule del fwmark 1 lookup 100
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -F
iptables -t mangle -X DIVERT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
##!/bin/sh
CLIENT_IFACE="eth1"
INET_IFACE="eth0"
ebtables -t broute -F
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP
cd /proc/sys/net/bridge/
for i in *
do
echo 0 > $i
done
unset i
#Changes in /etc/sysctl.conf \ sysctl
sysctl net.ipv4.ip_forward=1
sysctl net.netfilter.nf_conntrack_acct=1
sysctl net.ipv4.conf.lo.rp_filter=0
Received on Fri May 04 2012 - 00:22:55 MDT
This archive was generated by hypermail 2.2.0 : Fri May 04 2012 - 12:00:02 MDT