I've figured out my problem: I need to load the iptable_nat module. Thanks for your help.<br>
<br>
Jan, regarding the tcp_outgoing_address in Squid:<br>
I'm guessing you need it because Squid, by default, binds sockets to
<a href="http://0.0.0.0">0.0.0.0</a>. This means that when you try to do a TPROXY_ASSIGN, it
will fail (specifically, setsockopt() will with errno = EINVAL).
Maybe you're referring to something else entirely, in which case you
should just disregard my comment.<br>
<br>
N<br>
<br><div><span class="gmail_quote">On 4/7/06, <b class="gmail_sendername">KOVACS Krisztian</b> <<a href="mailto:hidden@balabit.hu">hidden@balabit.hu</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br> Hi,<br><br>On Friday 07 April 2006 10.40, Jan Engelhardt wrote:<br>> >It turns out that the port isn't being faked either.<br>> ><br>> >I'm only able to connect if I set the foreign IP address equal to the
<br>> > local IP address and the foreign port equal to the local port.<br>> ><br>> >A tcpdump at the client shows that the IP headers aren't being modified.<br>> >It's as if tproxy is creating entries in the hash table (TPROXY_ASSIGN
<br>> > and the subsequent call to setsockopt() is successful), but isn't<br>> > overwriting the approriate fields in the IP headers.<br>> ><br>> >Any thoughts?<br>><br>> Nguyen, If you bind() explicitly to
<a href="http://1.2.3.4">1.2.3.4</a>, does it work then? Just a<br>> guess...<br>><br>> Krisztian, any thoughts? Seems to be the reason why I need<br>> 'tcp_outgoing_address' in Squid...<br><br> Take a look at your kernel log, maybe you can find some tproxy-related
<br>messages there (lines containing IP_TPROXY).<br><br> In case you can't find anything in the logs I'd suggest enabling debug<br>output. (Replace '#if 0' with '#if 1' before the '#define DEBUGP printk'<br>line in net/ipv4/netfilter/iptable_tproxy.c) This will spit out a lot of
<br>debug messages which may be helpful in diagnosing the problem.<br><br>--<br> Regards,<br> Krisztian Kovacs<br></blockquote></div><br>