Hello, Ritter, Nicholas wrote:
I have a CentOS 5.1 box which I have custom compiled iptables and a kernel on. The version I am using are iptables 1.4.0, kernel 2.6.25.4, and tproxy
(specifically: tproxy-iptables-1.4.0-20080521-113954-1211362794.patch, and tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2 )
The problem I am having is that when I issue an iptables command to create a TPROXY rule, itpables errors saying that it can't initialize the TPROXY table. Normal I would assume that I had problems with the
There is no tproxy table, the older versions of TProxy uses this table, but the latest doesn't. TProxy-related rules are in the mangle table. From the README.txt: The following use-case assumes a transparent proxy listening on port 50080 and any ip address (0.0.0.0). First, set up the routing rules with iproute2: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 Or, if you want to use packet marking for anything else, the least significant bit is enough for transparent proxying. ip rule add fwmark 0x1/0x1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 Note that this latter example is only working with newer versions of iproute2. For supporting foreign address bind, the socket match is required with packet marking: iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT # DIVERT chain: mark packets and accept iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT The last rule is for diverting traffic to the proxy: iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 --on-port 50080 If it is a Squid-3 proxy, in /etc/squid/squid.conf the following rule is necessary for transparent proxying: http_port 50080 tproxy transparent Then set up the ACL rules according to your local policy. Note that I missed to append the "transparent" option in the http_port directive in the README.txt, but without it, not all transparent connections work, only where the HTTP request is something like: GET http://example.com/ HTTP/1.0 Laszlo
patches, compiling, etc. Everything patched cleanly, compiled fine, and installed fine. When I searched, I see the compiled libxt_TPROXY and xt_TPROXY.ko files in iptables build directory and the kernel modules directory. Isnmod xt_TROXY does not work.
I must have done something wrong somewhere, can someone offer so suggestions?
Nick _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy