my first configuration was with all disabled :
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
i enable it to make the test that u said! so doesn't work :-( Thank you friend Luiz 2010/1/13 <tproxy-request@lists.balabit.hu>:
Send tproxy mailing list submissions to tproxy@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/tproxy or, via email, send a message with subject or body 'help' to tproxy-request@lists.balabit.hu
You can reach the person managing the list at tproxy-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of tproxy digest..."
Today's Topics:
1. Re: tproxy Digest, Vol 55, Issue 5 (Luiz Biazus) 2. Re: tproxy Digest, Vol 55, Issue 5 (KOVACS Krisztian)
----------------------------------------------------------------------
Message: 1 Date: Tue, 12 Jan 2010 09:27:52 -0200 From: Luiz Biazus <luiz@biazus.com> Subject: Re: [tproxy] tproxy Digest, Vol 55, Issue 5 To: tproxy@lists.balabit.hu Message-ID: <8ecc30771001120327t20156525nae58961884b9ea8a@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Hello Krisztian!
is that what i mean!
follow my full configuration:
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 1 > /proc/sys/net/ipv4/conf/br0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/conf/all/forwarding echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i
iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8012 ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP //eth0 connected to gw and eth1 internal
ip rule add dev eth0 fwmark 1 lookup 100 ip rule add dev eth1 fwmark 1 lookup 100 ip rule add dev br0 fwmark 1 lookup 100
root@cache:~# ip rule 0: from all lookup local 32763: from all fwmark 0x1 iif eth0 lookup 100 32764: from all fwmark 0x1 iif eth1 lookup 100 32765: from all fwmark 0x1 iif br0 lookup 100 32766: from all lookup main 32767: from all lookup default
root@thundercache:~# ip route show all 189.10.205.0/24 dev br0 proto kernel scope link src 189.10.205.3 default via 189.10.205.1 dev br0 metric 100
root@thundercache:~# ifconfig br0 Link encap:Ethernet Endere??o de HW 00:06:4f:5f:b3:1e inet end.: 189.10.205.3 Bcast:189.10.203.255 Masc:255.255.255.0 endere??o inet6: fe80::206:4fff:fe5f:b31e/64 Escopo:Link UP BROADCAST RUNNING MULTICAST MTU:1500 M??trica:1 pacotes RX:2314056 erros:0 descartados:0 excesso:0 quadro:0 Pacotes TX:686243 erros:0 descartados:0 excesso:0 portadora:0 colis??es:0 txqueuelen:0 RX bytes:640911673 (640.9 MB) TX bytes:499301746 (499.3 MB)
eth0 Link encap:Ethernet Endere??o de HW 00:06:4f:5f:b3:1e endere??o inet6: fe80::206:4fff:fe5f:b31e/64 Escopo:Link UP BROADCAST RUNNING MULTICAST MTU:1500 M??trica:1 pacotes RX:197138752 erros:0 descartados:0 excesso:0 quadro:0 Pacotes TX:171287420 erros:0 descartados:0 excesso:0 portadora:0 colis??es:0 txqueuelen:1000 RX bytes:1122327687 (1.1 GB) TX bytes:1558614907 (1.5 GB) IRQ:18
eth1 Link encap:Ethernet Endere??o de HW 00:1e:8c:d2:2e:e9 endere??o inet6: fe80::21e:8cff:fed2:2ee9/64 Escopo:Link UP BROADCAST RUNNING MULTICAST MTU:1500 M??trica:1 pacotes RX:171297851 erros:1 descartados:0 excesso:0 quadro:1 Pacotes TX:197160512 erros:0 descartados:0 excesso:0 portadora:0 colis??es:0 txqueuelen:1000 RX bytes:1561386827 (1.5 GB) TX bytes:1915548351 (1.9 GB) IRQ:25 Endere??o de E/S:0x4000
lo Link encap:Loopback Local inet end.: 127.0.0.1 Masc:255.0.0.0 endere??o inet6: ::1/128 Escopo:M??quina UP LOOPBACK RUNNING MTU:16436 M??trica:1 pacotes RX:40 erros:0 descartados:0 excesso:0 quadro:0 Pacotes TX:40 erros:0 descartados:0 excesso:0 portadora:0 colis??es:0 txqueuelen:0 RX bytes:3690 (3.6 KB) TX bytes:3690 (3.6 KB)
Thank you Friend!
Bst Rgds Luiz
2010/1/12 <tproxy-request@lists.balabit.hu>:
Send tproxy mailing list submissions to ? ? ? ?tproxy@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit ? ? ? ?https://lists.balabit.hu/mailman/listinfo/tproxy or, via email, send a message with subject or body 'help' to ? ? ? ?tproxy-request@lists.balabit.hu
You can reach the person managing the list at ? ? ? ?tproxy-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of tproxy digest..."
Today's Topics:
? 1. Re: tproxy Digest, Vol 55, Issue 4 (Luiz Biazus) ? 2. Re: tproxy Digest, Vol 55, Issue 4 (KOVACS Krisztian)
----------------------------------------------------------------------
Message: 1 Date: Mon, 11 Jan 2010 09:05:25 -0200 From: Luiz Biazus <luiz@biazus.com> Subject: Re: [tproxy] tproxy Digest, Vol 55, Issue 4 To: tproxy@lists.balabit.hu Message-ID: ? ? ? ?<8ecc30771001110305l2ab305e4h757f48a39fc97d95@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
about this procedures:
?ip rule add dev eth0 fwmark 1 lookup 100 ?ip rule add dev eth1 fwmark 1 lookup 100 ?ip rule add dev br0 fwmark 1 lookup 100
It doesnt works
Thank you ?Krisztian
2010/1/11 ?<tproxy-request@lists.balabit.hu>:
Send tproxy mailing list submissions to ? ? ? ?tproxy@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit ? ? ? ?https://lists.balabit.hu/mailman/listinfo/tproxy or, via email, send a message with subject or body 'help' to ? ? ? ?tproxy-request@lists.balabit.hu
You can reach the person managing the list at ? ? ? ?tproxy-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of tproxy digest..."
Today's Topics:
? 1. EADDRNOTAVAIL from connect, but only sometimes (Ron Parker) ? 2. Re: Correct kernel version with tproxy (KOVACS Krisztian)
----------------------------------------------------------------------
Message: 1 Date: Sun, 10 Jan 2010 19:46:58 -0500 From: Ron Parker <rparker@movik.net> Subject: [tproxy] EADDRNOTAVAIL from connect, but only sometimes To: "tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu> Message-ID: ? ? ? ?<5D6AFCAC2AD9424D816711D1AF4FE8441BDE791924@MAILR014.mail.lan> Content-Type: text/plain; charset="us-ascii"
Hi,
We are using the tproxy patch for Linux 2.6.24 (Ubuntu 8.0.4). ? When placing outgoing connections, we use the original socket address (4-tuple) ?in the bind and set SO_REUSEADDR on the socket. ? The sequence we are having difficulty with is:
* ? ? ? ? Client connects to transparent proxy
* ? ? ? ? Transparent proxy connects to remote server
* ? ? ? ? Normal data transfer...
* ? ? ? ? Remote server closes the connection (but client connection is maintained)
* ? ? ? ? Transparent proxy attempts to connect again to remote server using the original 4-tuple (again)
o ? Bind succeeds
o ? Connect fails with EADDRNOTAVAIL
The original socket is probably in TIME_WAIT at this point. ? I thought the SO_REUSEADDR would take care of the problem. ?What am I missing here?
Thanks.
? Ron