Re: [tproxy] Fwd: Tproxy changes for performing dual NAT

Hi Attila, I have a problem with tproxy4 that I downloaded from the given links. Setup: LAN1: eth0: 20.20.20.4/24 TPROXYGw: eth1: 20.20.20.1/24 eth0: 30.0.1.1/24 WWW: eth0: 30.0.1.3/24 LAN1 <-----------> TPROXYGw <--------------> WWW TPROXYGw runs a sample proxy server (with IP_TRANSPARENT socket option enabled) that listens on TCP port 8080. Scenario 1: Testing normal TPROXY functionality: The following ip and iptable rules are added: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8080 Output: [root@Arun-FC6-SQUID ~]# ./listIpt.sh MANGLE Chain PREROUTING (policy ACCEPT 27615 packets, 2707393 bytes) pkts bytes target prot opt in out source destination 1129 98288 DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket 0 0 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1 Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 1132 98460 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 1132 98460 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 [root@Arun-FC6-SQUID ~]# ip rule show 0: from all lookup local 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default In this case, TPROXY stuff is working properly. PS: A route to 30.0.1.1 on WWW was added for network 20.20.20.0/24 [root@Arun-FC6-WWW ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.30.11.96 0.0.0.0 255.255.255.224 U 0 0 0 eth0 20.20.20.0 30.0.1.1 255.255.255.0 UG 0 0 0 eth0 30.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 172.30.11.97 0.0.0.0 UG 0 0 0 eth0 Scenario 2: Testing SNAT with TPROXY: The following ip and iptable rules are added: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8080 iptables -t nat -A POSTROUTING -o eth0 -s 20.20.20.4 -j SNAT --to 95.75.75.104 Output: [root@Arun-FC6-SQUID ~]# ./listIpt.sh POSTROUTING - NAT Chain POSTROUTING (policy ACCEPT 1254 packets, 167219 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * eth0 20.20.20.4 0.0.0.0/0 to:95.75.75.104 MANGLE Chain PREROUTING (policy ACCEPT 27667 packets, 2716681 bytes) pkts bytes target prot opt in out source destination 252 21872 DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket 0 0 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1 Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 254 21952 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 254 21952 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 In this case, SNAT is happening properly. But ACK is not happening as part of the three-way handshake. So the client hangs around till the timeout happens. Please find attached the sample-TPROXY server code with this. Am I missing any commands or configuration? TIA. Regards, Arun S. On 26/10/2007, Laszlo Attila Toth <panther@balabit.hu> wrote:

Arun S írta:

...

Oops!

Shall I go ahead with linux-2.6.23.tar.bz2 and tproxy4-2.6.23-200710090922.tar.bz2 ?

Yes... If you mean these two:

http://people.netfilter.org/hidden/tproxy/iptables-tproxy-200710091749.diff http://people.netfilter.org/hidden/tproxy/tproxy4-2.6.23-200710090922.tar.bz...

-- Panther

-- Regards, Arun S.