On Wed, 2008-12-03 at 21:55 +0800, Dong Wei wrote:
Hi, all
I use the latest tproxy kernel.But I find that, tproxy can't work with DNAT mode.
network topology:
Web Server(192.168.1.10)----(192.168.1.1)TPROXY Server(202.0.0.1)---(202.0.0.10)Client
For TPROXY Server eth0 192.168.1.1 eth1 202.0.0.1 When Client visit TPROXY Server(202.0.0.1) 80 port, we will redirect it to Web Server. There is a DNAT rule for it.
iptables -t nat -i eth1 -d 202.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10
tproxy APP listen on port 50080, and the TPROXY target also set --on-port 50080 for HTTP. Here is the problem: 1. Client send SYN to 202.0.0.1:80 2. TPROXY Server receive it, and TPROXY target will redirect this packet to the socket which is listening on port 50080 3. TPROXY Server send SYN,ACK to the Client 4. Client receive SYN,ACK and send ACK 5. TPROXY Server receive ACK, TPROXY target will redirect this packet to the socket listening on port 50080 6. With DNAT rule, the established socket is 202.0.0.10:port -> 192.168.1.10:80 7. Client send "GET " request to TPROXY Server 8. socket match find this packet doesn't match any socket. For its sip, sport, dip,dport is 202.0.0.10:port -> 202.0.0.1:80, while the established socket is 202.0.0.10:port -> 192.168.1.10:80
So in this case, match can't work correctly for DNAT rules. Anyone has good ideas?
You cannot use DNAT and tproxy on the same connection. What do you want to achieve? If you want to change the target address of the server side connection, why don't you DNAT the server connection? That should work. -- Bazsi