From: "Daniel" <tooldcas@163.com>
I'm kinda confused...
Which version exactly are you discussing?
In balabit site[1], tproxy needs iptable_tproxy and hacks route code, but
in KOVACS Krisztian's webpage[2],
the tproxy patch use policy route to make non-local sockets work without both NAT and iptable_tproxy.
It's not that confusing if you have attempted to use them. All my post, there is mentioned of IP_FREEBIND and that will mean this patch :-
The other ones on here :-
I could not find a suitable matching iptables counterpart and the kernel versions are too new for me to use.
PS: I hope to see a tproxy-4.0.4 patchset before tproxy being merged into kernel 2.6.25. ;) Regards
But before that perhaps you could at least try to use version 4.0.3 and see if you could repeat my problem ? I don't want the case where I am giving the wrong feedback. Strange enough none is noticing this. And I think the developers are skeptical about my feedback too ! :-) And I don't want it's the case of me making a systematic error in my testings and therefore making wrong conclusion ! To repeat this is what I suggest :- 1. compile a kernel 2.6.22 with the patch on the balabit website. 2. compile iptables 1.3.8 using the iptables patch on the balabit website. 3. configure the system with a default route without SNAT so that it can access internet. No policy routing needed. 4. download this small program which I posted earlier :- https://lists.balabit.hu/pipermail/tproxy/2007-December/000618.html And compile it as 'spoof'. 5. No need to set up bridge, ebtables or even tproxy targets (but you could set it up too it does not matter ). The objective to the test is to check if packets could get out of the box, so we are not worried about return path. Use 'tcpdump' to check the outgoing. 6. Invoked the program this way :- # ./spoof 192.168.1.5 72.14.235.99 Where 192.168.1.5 could be a local IP or a foreign IP and 72.14.235.99 is any website's IP address. Without MARK in mangle OUTPUT chain, whether it's local IP or foreign IP, packets could get out of the box ( check it using tcpdump ). With MARK, only local IP could have packets going out of the box. To mark outgoing packets, do this :- iptables -t mangle -A OUTPUT -j MARK --set-mark 5 Looking forward to your testing results. Regards.