Hi,<br><br>Balazs comment 1:<br>"You cannot use DNAT and tproxy on the same connection. What do you want<br>
to achieve?"<br><br>This is a common scenario. Say you have an intermediate compression agent/tunneling agent between the tproxy server and the web server as shown below:<br><br>Client <--------> tproxy server <---------> compression/tunneling agent1 <=============> compression/tunneling agent2 <------------------> web server<br>
<br>In this case, the output from the tproxy server has to be DNATted or policy routed to the compression/tunneling agent. Policy routing is possible if the compression/tunneling agent lies outside the box. In case, if it runs as another process along with the tproxy server, DNAT is the only option, AFAIK.<br>
<br>Balazs comment 2:<br>"If you want to change the target address of the server side connection,<br>
why don't you DNAT the server connection? That should work."<br><br>Not able to understand what you exactly mean by "DNAT the server connection".<br><br>If my understanding is correct, Tproxy association is only for the socket created between client and the tproxy server. If that is the case, why does socket match failure happen for the socket created between tproxy server and DNAT server?<br>
<br>Regards,<br>Arun S.<br><br><br><div class="gmail_quote">2008/12/3 Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="Wj3C7c">On Wed, 2008-12-03 at 21:55 +0800, Dong Wei wrote:<br>
> Hi, all<br>
><br>
> I use the latest tproxy kernel.But I find that, tproxy can't work<br>
> with DNAT mode.<br>
><br>
> network topology:<br>
><br>
> Web Server(192.168.1.10)----(192.168.1.1)TPROXY<br>
> Server(202.0.0.1)---(202.0.0.10)Client<br>
><br>
> For TPROXY Server<br>
> eth0 192.168.1.1<br>
> eth1 202.0.0.1<br>
> When Client visit TPROXY Server(202.0.0.1) 80 port, we will redirect<br>
> it to Web Server.<br>
> There is a DNAT rule for it.<br>
><br>
> iptables -t nat -i eth1 -d 202.0.0.1 -p tcp --dport 80 -j DNAT<br>
> --to-destination 192.168.1.10<br>
><br>
> tproxy APP listen on port 50080, and the TPROXY target also set<br>
> --on-port 50080 for HTTP.<br>
> Here is the problem:<br>
> 1. Client send SYN to <a href="http://202.0.0.1:80" target="_blank">202.0.0.1:80</a><br>
> 2. TPROXY Server receive it, and TPROXY target will redirect this packet<br>
> to the socket which is listening on port 50080<br>
> 3. TPROXY Server send SYN,ACK to the Client<br>
> 4. Client receive SYN,ACK and send ACK<br>
> 5. TPROXY Server receive ACK, TPROXY target will redirect this packet to the<br>
> socket listening on port 50080<br>
> 6. With DNAT rule, the established socket is 202.0.0.10:port -> <a href="http://192.168.1.10:80" target="_blank">192.168.1.10:80</a><br>
> 7. Client send "GET " request to TPROXY Server<br>
> 8. socket match find this packet doesn't match any socket. For its<br>
> sip, sport, dip,dport<br>
> is 202.0.0.10:port -> <a href="http://202.0.0.1:80" target="_blank">202.0.0.1:80</a>, while the established socket is<br>
> 202.0.0.10:port -> <a href="http://192.168.1.10:80" target="_blank">192.168.1.10:80</a><br>
><br>
> So in this case, match can't work correctly for DNAT rules. Anyone has<br>
> good ideas?<br>
<br>
</div></div>You cannot use DNAT and tproxy on the same connection. What do you want<br>
to achieve?<br>
<br>
If you want to change the target address of the server side connection,<br>
why don't you DNAT the server connection? That should work.<br>
<font color="#888888"><br>
--<br>
Bazsi<br>
</font><div><div></div><div class="Wj3C7c"><br>
<br>
_______________________________________________<br>
tproxy mailing list<br>
<a href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a><br>
<a href="https://lists.balabit.hu/mailman/listinfo/tproxy" target="_blank">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Regards,<br>Arun S.<br>