[zorp] TPROXY with iptables nat??

Jakub Bednář bednar.jakub at centrum.cz
Fri Aug 4 12:03:12 CEST 2006 

Hi,
     I'd like to describe my problem little bit closer.

We are runing a low bandwidth wireless net.
We have a central station which is communicating 
via this morse net with a lots of  devices(later as DEV1). 
Every DEV1 has a unique  address, such us 10.4.0.48.
But to every DEV1 is  connected one other device 
(later DEV2). All DEV2 has the same IP 192.168.1.2. 
On DEV1 we are doing SNAT to 10.4.0.48, this is then 
translated to morse address and send to central station. 
The central station is then communicationg back using the 
received src morse address (star configuration of the net).

I need my TPROXY to catch the traffic going from DEV2 through DEV1, 
but not when the src address is 192.168.1.2 but after the SNAT to 10.4.0.48. 
This address is then added to data and send to central station. There is 
then initiated the client-part of TPROXY using this address. I've written 
a simple support for SNAT to my tproxy and it works fine, but we would 
rather do the SNAT in iptables than in the TPROXY because we are already
running the SNAT in iptables and the rules are well tested.

Is there any possibility how to do this? And if not, do You think it will be
too complicated for me to write tproxy-kernel-patch which will allow me 
to do this?

Thanks a lot,

Jakub Bednar

______________________________________________________________
> Od: bazsi at balabit.hu
> Komu: Zorp users mailing list <zorp at lists.balabit.hu>
> Datum: 04.08.2006 10:48
> Předmět: Re: [zorp] TPROXY with iptables nat??
>
>On Thu, 2006-08-03 at 12:20 +0200, Jakub Bednář wrote:
>> Hi,
>> I'd like to ask You a question.
>> 
>> I'm now using tproxy aplication with my own nat inside, 
>> but I'd like to know, If I can add tproxy after normal nat 
>> from iptables? If so, can You please give me any example 
>> how to set the iptables?
>> 
>> -A POSTROUTING with -j TPROXY is not accepted by iptables.
>
>The TPROXY target is only useful to redirect crossing traffic to local
>proxies, in essence it is quite similar to the REDIRECT target of the
>NAT table.
>
>The source address of outgoing connections can be modified either by
>using the tproxy module services directly, or using the nat table as you
>would with forwarded connections.
>
>Please note however that changing the addresses twice is not currently
>possible, as tproxy itself implements its features by using NAT
>functionality.
>
>-- 
>Bazsi
>
>_______________________________________________
>zorp mailing list
>zorp at lists.balabit.hu
>https://lists.balabit.hu/mailman/listinfo/zorp
>

More information about the zorp mailing list