Hello Krisztian! is that what i mean! follow my full configuration: echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 1 > /proc/sys/net/ipv4/conf/br0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/conf/all/forwarding echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8012 ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP //eth0 connected to gw and eth1 internal ip rule add dev eth0 fwmark 1 lookup 100 ip rule add dev eth1 fwmark 1 lookup 100 ip rule add dev br0 fwmark 1 lookup 100 root@cache:~# ip rule 0: from all lookup local 32763: from all fwmark 0x1 iif eth0 lookup 100 32764: from all fwmark 0x1 iif eth1 lookup 100 32765: from all fwmark 0x1 iif br0 lookup 100 32766: from all lookup main 32767: from all lookup default root@thundercache:~# ip route show all 189.10.205.0/24 dev br0 proto kernel scope link src 189.10.205.3 default via 189.10.205.1 dev br0 metric 100 root@thundercache:~# ifconfig br0 Link encap:Ethernet Endereço de HW 00:06:4f:5f:b3:1e inet end.: 189.10.205.3 Bcast:189.10.203.255 Masc:255.255.255.0 endereço inet6: fe80::206:4fff:fe5f:b31e/64 Escopo:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1 pacotes RX:2314056 erros:0 descartados:0 excesso:0 quadro:0 Pacotes TX:686243 erros:0 descartados:0 excesso:0 portadora:0 colisões:0 txqueuelen:0 RX bytes:640911673 (640.9 MB) TX bytes:499301746 (499.3 MB) eth0 Link encap:Ethernet Endereço de HW 00:06:4f:5f:b3:1e endereço inet6: fe80::206:4fff:fe5f:b31e/64 Escopo:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1 pacotes RX:197138752 erros:0 descartados:0 excesso:0 quadro:0 Pacotes TX:171287420 erros:0 descartados:0 excesso:0 portadora:0 colisões:0 txqueuelen:1000 RX bytes:1122327687 (1.1 GB) TX bytes:1558614907 (1.5 GB) IRQ:18 eth1 Link encap:Ethernet Endereço de HW 00:1e:8c:d2:2e:e9 endereço inet6: fe80::21e:8cff:fed2:2ee9/64 Escopo:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1 pacotes RX:171297851 erros:1 descartados:0 excesso:0 quadro:1 Pacotes TX:197160512 erros:0 descartados:0 excesso:0 portadora:0 colisões:0 txqueuelen:1000 RX bytes:1561386827 (1.5 GB) TX bytes:1915548351 (1.9 GB) IRQ:25 Endereço de E/S:0x4000 lo Link encap:Loopback Local inet end.: 127.0.0.1 Masc:255.0.0.0 endereço inet6: ::1/128 Escopo:Máquina UP LOOPBACK RUNNING MTU:16436 Métrica:1 pacotes RX:40 erros:0 descartados:0 excesso:0 quadro:0 Pacotes TX:40 erros:0 descartados:0 excesso:0 portadora:0 colisões:0 txqueuelen:0 RX bytes:3690 (3.6 KB) TX bytes:3690 (3.6 KB) Thank you Friend! Bst Rgds Luiz 2010/1/12 <tproxy-request@lists.balabit.hu>:
Send tproxy mailing list submissions to tproxy@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/tproxy or, via email, send a message with subject or body 'help' to tproxy-request@lists.balabit.hu
You can reach the person managing the list at tproxy-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of tproxy digest..."
Today's Topics:
1. Re: tproxy Digest, Vol 55, Issue 4 (Luiz Biazus) 2. Re: tproxy Digest, Vol 55, Issue 4 (KOVACS Krisztian)
----------------------------------------------------------------------
Message: 1 Date: Mon, 11 Jan 2010 09:05:25 -0200 From: Luiz Biazus <luiz@biazus.com> Subject: Re: [tproxy] tproxy Digest, Vol 55, Issue 4 To: tproxy@lists.balabit.hu Message-ID: <8ecc30771001110305l2ab305e4h757f48a39fc97d95@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
about this procedures:
ip rule add dev eth0 fwmark 1 lookup 100 ip rule add dev eth1 fwmark 1 lookup 100 ip rule add dev br0 fwmark 1 lookup 100
It doesnt works
Thank you Krisztian
2010/1/11 <tproxy-request@lists.balabit.hu>:
Send tproxy mailing list submissions to ? ? ? ?tproxy@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit ? ? ? ?https://lists.balabit.hu/mailman/listinfo/tproxy or, via email, send a message with subject or body 'help' to ? ? ? ?tproxy-request@lists.balabit.hu
You can reach the person managing the list at ? ? ? ?tproxy-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of tproxy digest..."
Today's Topics:
? 1. EADDRNOTAVAIL from connect, but only sometimes (Ron Parker) ? 2. Re: Correct kernel version with tproxy (KOVACS Krisztian)
----------------------------------------------------------------------
Message: 1 Date: Sun, 10 Jan 2010 19:46:58 -0500 From: Ron Parker <rparker@movik.net> Subject: [tproxy] EADDRNOTAVAIL from connect, but only sometimes To: "tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu> Message-ID: ? ? ? ?<5D6AFCAC2AD9424D816711D1AF4FE8441BDE791924@MAILR014.mail.lan> Content-Type: text/plain; charset="us-ascii"
Hi,
We are using the tproxy patch for Linux 2.6.24 (Ubuntu 8.0.4). ? When placing outgoing connections, we use the original socket address (4-tuple) ?in the bind and set SO_REUSEADDR on the socket. ? The sequence we are having difficulty with is:
* ? ? ? ? Client connects to transparent proxy
* ? ? ? ? Transparent proxy connects to remote server
* ? ? ? ? Normal data transfer...
* ? ? ? ? Remote server closes the connection (but client connection is maintained)
* ? ? ? ? Transparent proxy attempts to connect again to remote server using the original 4-tuple (again)
o ? Bind succeeds
o ? Connect fails with EADDRNOTAVAIL
The original socket is probably in TIME_WAIT at this point. ? I thought the SO_REUSEADDR would take care of the problem. ?What am I missing here?
Thanks.
? Ron