TPROXY Not working with HAProxy, Ubuntu 14.04

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Nyxynyx on Server Fault See other posts from Server Fault or by Nyxynyx
Published on 2014-08-20T04:19:49Z Indexed on 2014/08/20 4:23 UTC
Read the original article Hit count: 568

Filed under:
|
|
|
|

I'm trying to use HAProxy as a fully transparent proxy using TPROXY in Ubuntu 14.04. HAProxy will be setup on the first server with eth1 111.111.250.250 and eth0 10.111.128.134. The single balanced server has eth1 and eth0 as well. eth1 is the public facing network interface while eth0 is for the private network which both servers are in.

Problem: I'm able to connect to the balanced server's port 1234 directly (via eth1) but am not able to reach the balanced server via Haproxy port 1234 (which redirects to 1234 via eth0). Am I missing out something in this configuration?

On the HAProxy server

The current kernel is: 

Linux extremehash-lb2 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

The kernel appears to have TPROXY support:

# grep TPROXY /boot/config-3.13.0-24-generic 
CONFIG_NETFILTER_XT_TARGET_TPROXY=m

HAProxy was compiled with TPROXY support:

haproxy -vv
HA-Proxy version 1.5.3 2014/07/25
Copyright 2000-2014 Willy Tarreau <[email protected]>

Build options :
  TARGET  = linux26
  CPU     = x86_64
  CC      = gcc
  CFLAGS  = -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_TPROXY=1 USE_LIBCRYPT=1 USE_STATIC_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built without OpenSSL support (USE_OPENSSL not set)
Built with PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

In /etc/haproxy/haproxy.cfg, I've configured a port to have the following options:

listen test1235 :1234
    mode tcp
    option tcplog
    balance leastconn
    source 0.0.0.0 usesrc clientip

    server balanced1 10.111.163.76:1234 check inter 5s rise 2 fall 4 weight 4

On the balanced server

In /etc/networking/interfaces I've set the gateway for eth0 to be the HAProxy box 10.111.128.134 and restarted networking.

auto eth0 eth1
iface eth0 inet static
        address 111.111.250.250
        netmask 255.255.224.0
        gateway 111.131.224.1
        dns-nameservers 8.8.4.4 8.8.8.8 209.244.0.3
iface eth1 inet static
        address 10.111.163.76
        netmask 255.255.0.0
        gateway 10.111.128.134

ip route gives:

default via 111.111.224.1 dev eth0 
10.111.0.0/16 dev eth1  proto kernel  scope link  src 10.111.163.76 
111.111.224.0/19 dev eth0  proto kernel  scope link  src 111.111.250.250

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about ubuntu

Related posts about networking

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle