I would suggest you use: - iptables 1.4.6: I don't remember if iptables 1.4.2 needs to be patched or not - linux 2.6.31: yes, it has built-in tproxy. You need options "Transparent proxying support (EXPERIMENTAL)", "TPROXY" target support (EXPERIMENTAL) and "socket" match support (EXPERIMENTAL) Don't use the 2.6.32, something changed about rp_filters and I couldn't make tproxy to work with it. Maybe someone else know how to do. The problem was fixed on the 2.6.33 (which is not yet released), but you'll need to set a new sysctl call: sysctl net.ipv4.conf.lo.src_valid_mark=1 For iptables/ebtables rulez, I based my configuration on this post: https://lists.balabit.hu/pipermail/tproxy/2010-January/001211.html Bye, Nicolas 2010/2/11 Alexander Dultsev <alexander.dooltsev@gmail.com>:
hi Nicolas, thanks for the fast reply, and sorry about my spontaneous question - yes, it's about using iptables 1.4.2 with a patched Debian kernel 2.6.27-wt6 (tproxy patch) or not patched 2.6.31 (the 2.6.31 has it in-built, am I correct?) So, 1) is iptables 1.4.2 + kernel 2.6.31 ok to go for tproxy functionality? 2) how would you make it working then? Thanks, Alex.
On Thu, Feb 11, 2010 at 9:14 AM, nicolas normand <doomyster@gmail.com> wrote:
I suppose you are speaking of the tproxy table. It was removed some time ago (I don't remember when), now I could make tproxy to work with just the mangle table, and a 2.6.31 or 2.6.33 linux kernel.
Bye, Nicolas
2010/2/11 Alexander Dultsev <alexander.dooltsev@gmail.com>:
Hello, perhaps it's covered in some place here (if so, could you please point to the right direction) - is entry iptables_tproxy.ko missing under tproxy 4.x.x version (so things like 'iptables -F tproxy -L' cannot be called)? I can see, for instance, 'iptables_raw' etc, but not the above in my /lib/modules/... directory. Thanks, Alex. _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy