<div dir="ltr"><span class="Apple-style-span" style="border-collapse: collapse; ">I has a problem with tproxy4 on linux kernel <a href="http://2.6.24.7" target="_blank" style="color: rgb(0, 0, 204); ">2.6.24.7</a><div><br>
</div><div>the connection to a server(<a href="http://172.16.100.232" target="_blank" style="color: rgb(0, 0, 204); ">172.16.100.232</a>) with foreign address(<a href="http://10.0.3.232" target="_blank" style="color: rgb(0, 0, 204); ">10.0.3.232</a>) get long time(3 seconds)</div>
<div>because a syn packet re-sent by tproxy server. <br></div><div>(syn retry time may be 3-seconds)</div><div>(first web server syn-ack packet may be ignored by tproxy.)<br></div><div><br></div><div><span style="font-weight: bold; ">what I do for this problem? </span></div>
<div><br></div><div><br></div><div><span style="text-decoration: underline; ">below is the result of server-side tcpdump .</span></div><div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br></div>
<div><div><div>listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes</div><div>22:23:45.739972 IP 10.0.3.232.3845 > 172.16.100.142.http: S 3133342350:3133342350(0) win 5840 <mss 1460,sackOK,timestamp 4475642 0,nop,wscale 9></div>
<div>22:23:45.744947 IP 172.16.100.142.http > 10.0.3.232.3845: S 1184231461:1184231461(0) ack 3133342351 win 5792 <mss 1460,sackOK,timestamp 184168973 4475642,nop,wscale 7></div><div>22:23:48.740436 IP 10.0.3.232.3845 > 172.16.100.142.http: S 3133342350:3133342350(0) win 5840 <mss 1460,sackOK,timestamp 4476392 0,nop,wscale 9></div>
<div>22:23:48.740453 IP 172.16.100.142.http > 10.0.3.232.3845: S 1184231461:1184231461(0) ack 3133342351 win 5792 <mss 1460,sackOK,timestamp 184169723 4475642,nop,wscale 7></div><div>22:23:49.537982 IP 172.16.100.142.http > 10.0.3.232.3845: S 1184231461:1184231461(0) ack 3133342351 win 5792 <mss 1460,sackOK,timestamp 184169923 4475642,nop,wscale 7></div>
<div>22:23:49.538478 IP 10.0.3.232.3845 > 172.16.100.142.http: . ack 1 win 12 <nop,nop,timestamp 4476591 184169923></div><div>22:23:49.538716 IP 10.0.3.232.3845 > 172.16.100.142.http: P 1:6(5) ack 1 win 12 <nop,nop,timestamp 4476591 184169923></div>
<div>22:23:49.538730 IP 172.16.100.142.http > 10.0.3.232.3845: . ack 6 win 46 <nop,nop,timestamp 184169923 4476591></div><div>22:23:49.539463 IP 172.16.100.142.http > 10.0.3.232.3845: P 1:98(97) ack 6 win 46 <nop,nop,timestamp 184169923 4476591></div>
<div>22:23:49.539509 IP 172.16.100.142.http > 10.0.3.232.3845: F 98:98(0) ack 6 win 46 <nop,nop,timestamp 184169923 4476591></div><div>22:23:49.539793 IP 10.0.3.232.3845 > 172.16.100.142.http: . ack 98 win 12 <nop,nop,timestamp 4476591 184169923></div>
<div>22:23:49.540470 IP 10.0.3.232.3845 > 172.16.100.142.http: F 6:6(0) ack 99 win 12 <nop,nop,timestamp 4476591 184169923></div><div>22:23:49.540483 IP 172.16.100.142.http > 10.0.3.232.3845: . ack 7 win 46 <nop,nop,timestamp 184169923 4476591></div>
<div><br></div><div><br></div><div><span style="text-decoration: underline; ">here is the result of lsmod</span></div><div><div>bash-3.1# lsmod</div><div>Module Size Used by Not tainted</div><div>iptable_nat 5764 1</div>
<div>nf_nat_sip 4352 0</div><div>nf_nat_h323 6400 0</div><div>nf_nat_pptp 3200 0</div><div>nf_nat_proto_gre 2436 1 nf_nat_pptp</div><div>nf_nat_ftp 2944 0</div>
<div>nf_nat 15020 6 iptable_nat,nf_nat_sip,nf_nat_h323,nf_nat_pptp,nf_nat_proto_gre,nf_nat_ftp</div><div>xt_TPROXY 2688 1</div><div>xt_socket 2944 1</div><div>xt_MARK 2304 1</div>
<div>nf_tproxy_core 3712 2 xt_TPROXY,xt_socket,[permanent]</div><div>iptable_mangle 2560 1</div><div>xt_CONNMARK 2560 0</div><div>iptable_filter 2432 1</div><div>ip_tables 10452 3 iptable_nat,iptable_mangle,iptable_filter</div>
<div>nf_hipac 156168 0</div><div>noarp 20780 0</div><div>e100 29964 0</div><div>e1000 170688 0</div><div><br></div><div><br></div><div><div><span style="text-decoration: underline; ">iptables -t mangle -L</span></div>
<div>Chain PREROUTING (policy ACCEPT)</div><div>target prot opt source destination</div><div>DIVERT tcp -- anywhere anywhere socket</div><div>TPROXY tcp -- anywhere anywhere tcp dpt:http TPROXY redirect <a href="http://0.0.0.0:80" target="_blank" style="color: rgb(0, 0, 204); ">0.0.0.0:80</a>mark 0x1/0x1</div>
<div><br></div><div>Chain INPUT (policy ACCEPT)</div><div>target prot opt source destination</div><div><br></div><div>Chain FORWARD (policy ACCEPT)</div><div>target prot opt source destination</div>
<div><br></div><div>Chain OUTPUT (policy ACCEPT)</div><div>target prot opt source destination</div><div><br></div><div>Chain POSTROUTING (policy ACCEPT)</div><div>target prot opt source destination</div>
<div><br></div><div>Chain DIVERT (1 references)</div><div>target prot opt source destination</div><div>MARK all -- anywhere anywhere MARK set 0x1</div><div>ACCEPT all -- anywhere anywhere</div>
<div><br></div></div></div></div></div></span></div>