Hi, Ming-Ching Tiew wrote:
tproxy 4.1.0 on kernel 2.6.24 is not working and I haven't tested any other kernel version :-
Issues ====== 1. Failed to compile.
I fixed the compilation problem by taking two of the patches from 2.6.25 and apply them onto 2.6.24, namely netfilter_ip_route_me_harder patch and inet_sock_and_route_dependency.patch.
AFAIK the older version is for 2.6.23 (in October), the newer for the net-2.6 (originally net-2.6.25), also 2.6.24 is not explicitly supported.
2. socket in IP_TRANSPARENT mode failed to received return packets both in bridge mode and nat mode.
According to the docs, I have executed this script :-
iptables -t mangle -F iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 -on-port 3128 iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT
They were executed without any error.
You may missed to set up routing: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 It is required for tproxy.
3. In the bridge mode case, when I execute a simple 'ip spoofing' program ( which I posted here previously, but I changed IP_FREEBIND to IP_TRANSPARENT ), there packets appearing in the DIVERT target and the TPROXY target, but they are delivered to the machined which IP has been spoofed ( by right they are supposed to be delivered locally to the spoofing program ).
Does this occur when you use advanced routing?
4. In the nat mode, packets leaving the interface SNAT-ed and so there are reply packets however the local socket program is not receiving either. Packets do not hit the DIVERT and TPROXY targets at all, ie the iptables counter return 0 bytes.
We know this issue, we are going to fix this as soon as we find a good solution.
5. When I execute ebtables commands on the br0 interface, there will be kernel panic.
I'm afraid not familiar with ebtables. -- Panther