On Wed, Oct 29, 2008 at 7:20 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Tue, 2008-10-28 at 19:15 -0700, Pranav Desai wrote:
On Tue, Oct 28, 2008 at 6:54 PM, Pranav Desai <pranavadesai@gmail.com> wrote:
Hello,
I am trying to do a foreign connect with tproxy4.
Here is what I have tried so far, seems like I have missed a few things since its not working for me.
After applying the kernel patch for 2.6.24.7, I can get the pkts going out using a foreign address, I also see the syn ack pkts coming back from the server on the client machine, but client doesn't send an ack back. I am guessing that I missed something with the iptables rules ?
The README suggests that I have to set the following rules and do the setsockopt for the foreign connect.
iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff iptables -t mangle -A DIVERT -j ACCEPT
For me the --set-xmark fails with: iptables v1.4.0: Unknown arg `--set-xmark' Try `iptables -h' or 'iptables --help' for more information.
I have applied the tproxy patch for iptables-1.4.0
Here is my mangle table. The UNKNOWN match seems suspicious.
Here is the correct mangle table output
Chain PREROUTING (policy ACCEPT 258K packets, 36M bytes) pkts bytes target prot opt in out source destination 395 29020 DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket
Chain INPUT (policy ACCEPT 76083 packets, 11M bytes) pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 63346 packets, 12M bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 63346 packets, 12M bytes) pkts bytes target prot opt in out source destination
Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 172 11704 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 117 7324 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
The --set-xmark command is still failing so I tried this:
iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
But that didn't help. So any help is welcome.
Hm.. did you also set up proper policy routing rules? I mean the packets marked with 0x1 should be routed to the local IP stack.
No I didn't. I thought that was only applicable to redirection. I am still stuck with the tproxy2 thinking of tproxy being used only on the web server side. Its working after adding those rules. Thanks a lot for your help. -- Pranav
-- Bazsi