Hello, AFAIK it is possible. 1. You have to bind new (spoofed) connection's port in certain range (e.g. 5000 - 10000, not ephemeral port range). 2. Setup rule to forward all outgoing TCP packets to ports in that range to localhost 3. Make connections to physical, not loopback address. I have it running on production for about 2 months now. Iptables rules and routes: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A OUTPUT -p tcp --dport 5000:9999 -j MARK --set-mark 1 Example python code to create spoofed connection: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_IP, 19, 1) # IP_TRANSPARENT, not available in python's stdlib s.bind(('1.2.3.4', 5001)) s.connect(('192.168.1.9', 1234)) # connection always to physical interface address! I do free port management by myself, but you can do bind() in a loop. Best Regards, Karol Pilat W dniu 18.09.2012 10:04, Balazs Scheidler pisze:
Hi,
IIRC it doesn't work for local connections/sockets, as it can't reroute outgoing packets to the local interface.
On Sun, 2012-07-29 at 06:30 -0700, Ming-Ching Tiew wrote:
tproxy has problem working within 2 processes on the same machine, ie a client process using tproxy to spoof an IP, has problem communicating with the server process within the same machine.
It seems tproxy attaches itself to mangle table PREROUTING chain, that is unable to hook to the in-machine process. I figured that for it to work, in this case, it needs to be able to attach itself to the INPUT chain. However that hook is not supported.
Is there a way to get around this problem ?