Re: [tproxy] netcat for tproxy (and additional noob questions)
2009/7/5 John Lauro <john.lauro@covenanteyes.com>:
Most of the examples I found are for more specific cases, such as for use with squid on just port 80. I am not certain I understand fully the interaction between the rules for iptables and the interaction with tproxy. Is there someplace this is all documented, along with all the details from a programmer perspective such as the use of setsockopt? (I think I just need updated man pages?)
Ive been looking to put some better documentation together for what Lusca does for TPROXY4 (I'm guessing you're talking about that and not TPROXY2.) In any case, the process is somewhat like this: * iptables/routing table setup - http://wiki.squid-cache.org/Features/Tproxy4 * create listen socket * setsockopt to make it transparent * bind() to 0.0.0.0, relevant port that you've redirected traffic to * listen() as usual Then, you accept() as usual, use getsockname() to determine the original destination. Then for the outbound socket: * create socket * setsockopt to make it transparent * bind() to relevant IP (and port, or leave it 0 to let the stack choose a port IIRC) * connect() as usual I haven't yet really looked into the TPROXY4 kernel implementation to know precisely what is going on. I can't find some clear, concise documentation either explaining the "how" or "why" behind the iptables rules and why packets need to be punted via the loopback interface. HTH, Adrian
Ive been looking to put some better documentation together for what Lusca does for TPROXY4 (I'm guessing you're talking about that and not TPROXY2.)
I think so... It's whatever is now standard in the kernel without extra patches.
In any case, the process is somewhat like this:
* iptables/routing table setup - http://wiki.squid- cache.org/Features/Tproxy4
Ok, I was mostly there. I was missing one critical rule. I think I understand it better now, as that wiki article does a little bit of explaining as to why the rules.
* create listen socket * setsockopt to make it transparent * bind() to 0.0.0.0, relevant port that you've redirected traffic to * listen() as usual
Then, you accept() as usual, use getsockname() to determine the original destination. Then for the outbound socket:
Getsockname is returning back the source/client IP & port instead of the original destination. I will need that, but that's only half... I'm possibly just not passing the correct structure(?) Switching a couple of things around, instead it returns back the generic 0.0.0.0 address I bound as, which is not any better. It might not help that I am tested it from a slightly modified netcat instead of a more simple test and I am probably overlooking something simple. Perhaps next I'll try a more simple code test from scratch instead of patching netcat. At least now I am confident I have the rules in place so that can intercept a stream. I just have to be able to figure out where they were going... (and then the other half which should be easier, recreating them as you indicate...)
* create socket * setsockopt to make it transparent * bind() to relevant IP (and port, or leave it 0 to let the stack choose a port IIRC)
Should I be able to reuse the original source port, or will that fail/cause problems as it would already be in the connection table (except with local/foreign reversed)?
* connect() as usual
I haven't yet really looked into the TPROXY4 kernel implementation to know precisely what is going on. I can't find some clear, concise documentation either explaining the "how" or "why" behind the iptables rules and why packets need to be punted via the loopback interface.
Hi, On Sun, Jul 05, 2009 at 08:52:33PM +0800, Adrian Chadd wrote:
I haven't yet really looked into the TPROXY4 kernel implementation to know precisely what is going on. I can't find some clear, concise documentation either explaining the "how" or "why" behind the iptables rules and why packets need to be punted via the loopback interface.
Have you read the documentation in the kernel source? I know it's not too detailed either, though. Which parts are unclear? We could probably easily extend that document to cover what you need. http://tinyurl.com/m3hkcn -- KOVACS Krisztian
participants (3)
-
Adrian Chadd
-
John Lauro
-
KOVACS Krisztian