Hello KOVACS Krisztian-san Thank you for your kindly help ! Adding iptables rule seems solve this issue. And, while thinking about this issue, I have question about the difference between "iptables rule" and tproxy. To keep src/dst address on proxy, does both of following methods cause the same result ? 1. Adding iptable DNAT/SNAT rule for the session used on the socket. (by using setsockopt with SO_SET_REPLACE/SO_SET_ADD_COUNTERS?) 2. Calling tproxy interface for the socket. (by using socksockopt with TPROXY_ASSIGN/TPROXY_FLAGS) "1." does not requires kernel patch, but is there some issue ? (Ex: performance, or others ?) I would appreciate it if I can get some information. Thank you ! -- (Nihon F-Secure Corporation) Yoshioka Tsuneo E-MAIL: Tsuneo.Yoshioka@f-secure.com
Hi,
On Friday 12 January 2007 06:10, Yoshioka Tsuneo wrote:
When I tried to listen proxy using tproxy like following, it does not work to be intented. Structure: Client <===> Proxy <===> Server
1. On Proxy, listen on the port 9999. 2. On Proxy, assign Server:2000 using TPROXY_ASSIGN, and set ITP_LISTEN flag. 3. Client connect to Server:2000. 4. Proxy steal connection using tproxy.(using ITP_LISTEN) 5. Proxy connect to Server:2000.
On "4.", Proxy should connect server:2000 on "4.". But, actually, proxy connect to Proxy:9999.
This is probably because TProxy cannot differentiate between incoming and outgoing traffic, and when you try to connect to server:2000 that connection also gets stolen.
Try something like this instead:
1. Proxy listens on port 9999 2. Instead of assigning server:2000 on the listener, add an iptables rule: iptables -t tproxy -A PREROUTING -s client_net/mask -d server \ -p tcp --dport 2000 -j TPROXY --on-port 9999
The difference here is that this rule does not apply to locally generated traffic, therefore your connection from the proxy to the server won't get caught. The rest of the process should be OK.
-- Regards, Krisztian Kovacs _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy