Bazsi, Let's say, I want to use TRPOXY to build a proxy that will protect all the clients accessing the Internet, assume INTERNET_GROUP is a set of subnets representing Internet. The following entry will intercept all the connections going to Internet iptables -t tproxy -A PREROUTING -dest INTERNET_GROUP -j TPROXY --on-port 80 1) Is there any way I can only intercept HTTP connnections? 2) Once I intercept a connection, how do I retrieve the foreign address? Is there any TRPOXY option to retrieve the foreign address/port? thanks Dileep -----Original Message----- From: tproxy-admin@lists.balabit.hu [mailto:tproxy-admin@lists.balabit.hu]On Behalf Of Balazs Scheidler Sent: Monday, May 05, 2003 8:21 AM To: Dileep Kumar Cc: tproxy@lists.balabit.hu Subject: Re: [tproxy] TPROXY USAGE On Wed, Apr 30, 2003 at 11:21:29PM -0700, Dileep Kumar wrote:
Hello Bazis, A few questions for you: The IP table entry (iptables -t tproxy -A PREROUTING -dest server_addr -j TPROXY --on-port ) is sending all connections to the proxy. Is this true that I don't need to set any IP table entry, if I am interested only in connections on specific port? In our experiment with TPROXY, one thing that we discovered was that if we are interested only in connections on a specific port, we don't need to set any IP table entry at all. By using setsockopt IP_TPROXY_ASSIGN and IP_TPROXY_FLAGS we could intercept the packet and listen on foreign address and source a foreign address. For PASV FTP, I can bind the port for listen that was sent to the client. I am not sure when will I need to add IP table entry.
You don't need a tproxy table entry if your application specifically asks for a given foreign address/port.
Second question was when I want to create a connection with foreign address as source address, I need to bind to the local address with a local port. Doing so creates a port management problem? I noticed in your Zorp code in tpsocket file, the autobind function sends zero port. I am assuming, in this case Kernel picks the port. Is this valid usage? Or do I need to manage the ports?
Yes, port 0 means to allocate a port automatically. It does not matter which port you are using on your local interface, the only requirement that it must be bound to a fully specified address/port. (e.g. it cannot be 0.0.0.0)
Third, I did not see any proxy using the API defined in tpsocket. Do you have any example of a full proxy that is using TPROXY?
There were a couple of examples in the tarball, but I am afraid they are quite outdated. You can check out the sources for Zorp however. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy