Hello, I'm using kernel 2.6.29 with iptables 1.4.6 and I'm trying to setup a minimal TPROXY. Basically, I've configured another (physical) machine to use my computer as default gateway, then on my machine I've enabled ip_forward and disabled rp_filter everywhere and using these rules: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 9999 --tproxy-mark 0x1/0x1 There are no other iptables rules, and all chains default to ACCEPT Then, on the remote machine I try to telnet google.com 80, but the connection can't be established. Tcpdump shows that SYN packets arrive but then it's as if they were dropped: they aren't getting to the proxy on port 9999. Any ideas ? -- Stelian Ionescu a.k.a. fe[nl]ix Quidquid latine dictum sit, altum videtur. http://common-lisp.net/project/iolib
Hi, On 01/28/2010 04:53 PM, Stelian Ionescu wrote:
Hello, I'm using kernel 2.6.29 with iptables 1.4.6 and I'm trying to setup a minimal TPROXY. Basically, I've configured another (physical) machine to use my computer as default gateway, then on my machine I've enabled ip_forward and disabled rp_filter everywhere and using these rules:
ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 9999 --tproxy-mark 0x1/0x1
There are no other iptables rules, and all chains default to ACCEPT
Then, on the remote machine I try to telnet google.com 80, but the connection can't be established. Tcpdump shows that SYN packets arrive but then it's as if they were dropped: they aren't getting to the proxy on port 9999.
Any ideas ?
Does your proxy application set the IP_TRANSPARENT socket option on the listener socket? -- KOVACS Krisztian
On Fri, 2010-01-29 at 09:45 +0100, KOVACS Krisztian wrote:
Hi,
On 01/28/2010 04:53 PM, Stelian Ionescu wrote:
Hello, I'm using kernel 2.6.29 with iptables 1.4.6 and I'm trying to setup a minimal TPROXY. Basically, I've configured another (physical) machine to use my computer as default gateway, then on my machine I've enabled ip_forward and disabled rp_filter everywhere and using these rules:
ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 9999 --tproxy-mark 0x1/0x1
There are no other iptables rules, and all chains default to ACCEPT
Then, on the remote machine I try to telnet google.com 80, but the connection can't be established. Tcpdump shows that SYN packets arrive but then it's as if they were dropped: they aren't getting to the proxy on port 9999.
Any ideas ?
Does your proxy application set the IP_TRANSPARENT socket option on the listener socket?
Oops, sorry for the noise. I had forgotten just that. -- Stelian Ionescu a.k.a. fe[nl]ix Quidquid latine dictum sit, altum videtur. http://common-lisp.net/project/iolib
participants (2)
-
KOVACS Krisztian
-
Stelian Ionescu