Hello When I tried to listen proxy using tproxy like following, it does not work to be intented. Structure: Client <===> Proxy <===> Server 1. On Proxy, listen on the port 9999. 2. On Proxy, assign Server:2000 using TPROXY_ASSIGN, and set ITP_LISTEN flag. 3. Client connect to Server:2000. 4. Proxy steal connection using tproxy.(using ITP_LISTEN) 5. Proxy connect to Server:2000. On "4.", Proxy should connect server:2000 on "4.". But, actually, proxy connect to Proxy:9999. Packet capturing result is like following. (*) line is "5.". It should be like "10.65.3.100.47886 > 10.65.3.110.2000". ========================================================= 13:12:30.957695 10.65.1.208.5495 > 10.65.3.110.2000: S 2155077236:2155077236(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) 13:12:30.957821 10.65.1.208.5495 > 10.65.3.100.9999: S 2155077236:2155077236(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) 13:12:30.957837 10.65.3.110.2000 > 10.65.1.208.5495: S 754591780:754591780(0) ack 2155077237 win 5840 <mss 1460,nop,nop,sackOK> (DF) [ttl 1] 13:12:30.957860 10.65.3.110.2000 > 10.65.1.208.5495: S 754591780:754591780(0) ack 2155077237 win 5840 <mss 1460,nop,nop,sackOK> (DF) [ttl 1] 13:12:30.957874 10.65.1.208.5495 > 10.65.3.110.2000: . ack 1 win 65535 (DF) 13:12:30.957884 10.65.1.208.5495 > 10.65.3.100.9999: . ack 754591781 win 65535 (DF) (*)13:12:30.958069 10.65.3.100.47886 > 10.65.3.100.9999: S 765420716:765420716(0) win 5840 <mss 1460,sackOK,timestamp 1284404 0,nop,wscale 2> (DF) 13:12:30.958096 10.65.3.110.2000 > 10.65.3.100.47886: S 756210562:756210562(0) ack 765420717 win 32768 <mss 16396,sackOK,timestamp 1284404 1284404,nop,wscale 2> (DF) [ttl 1] 13:12:30.958116 10.65.3.100.47886 > 10.65.3.100.9999: . ack 756210563 win 1460 <nop,nop,timestamp 1284404 1284404> (DF) 13:12:30.958152 10.65.3.100.47886 > 10.65.3.100.9999: P 0:10(10) ack 1 win 1460 <nop,nop,timestamp 1284404 1284404> (DF) 13:12:30.958164 10.65.3.110.2000 > 10.65.3.100.47886: . ack 11 win 8192 <nop,nop,timestamp 1284404 1284404> (DF) [ttl 1] ========================================================= IP address is like following. Client: 10.65.1.208 Proxy: 10.65.3.100 Server: 10.65.3.110 Test code is attached. I have confirmed the issue on both: "linux-2.6.19.1" with "cttproxy-2.6.19-2.0.6" and "linux-2.4.31" with "cttproxy-2.4.31-2.0.2" I guess that the connection is NAT'ed. But I cannot find the way to connect Server:2000. This scenario happens while ftp data connection. For about ftp itself, using ip_nat_ftp seems solve the issue. But, can I get any information(reason, advice), if possible ? Thank you ! -- (Nihon F-Secure Corporation) Yoshioka Tsuneo E-MAIL: Tsuneo.Yoshioka@f-secure.com
Hi, On Friday 12 January 2007 06:10, Yoshioka Tsuneo wrote:
When I tried to listen proxy using tproxy like following, it does not work to be intented. Structure: Client <===> Proxy <===> Server
1. On Proxy, listen on the port 9999. 2. On Proxy, assign Server:2000 using TPROXY_ASSIGN, and set ITP_LISTEN flag. 3. Client connect to Server:2000. 4. Proxy steal connection using tproxy.(using ITP_LISTEN) 5. Proxy connect to Server:2000.
On "4.", Proxy should connect server:2000 on "4.". But, actually, proxy connect to Proxy:9999.
This is probably because TProxy cannot differentiate between incoming and outgoing traffic, and when you try to connect to server:2000 that connection also gets stolen. Try something like this instead: 1. Proxy listens on port 9999 2. Instead of assigning server:2000 on the listener, add an iptables rule: iptables -t tproxy -A PREROUTING -s client_net/mask -d server \ -p tcp --dport 2000 -j TPROXY --on-port 9999 The difference here is that this rule does not apply to locally generated traffic, therefore your connection from the proxy to the server won't get caught. The rest of the process should be OK. -- Regards, Krisztian Kovacs
Hello KOVACS Krisztian-san Thank you for your kindly help ! Adding iptables rule seems solve this issue. And, while thinking about this issue, I have question about the difference between "iptables rule" and tproxy. To keep src/dst address on proxy, does both of following methods cause the same result ? 1. Adding iptable DNAT/SNAT rule for the session used on the socket. (by using setsockopt with SO_SET_REPLACE/SO_SET_ADD_COUNTERS?) 2. Calling tproxy interface for the socket. (by using socksockopt with TPROXY_ASSIGN/TPROXY_FLAGS) "1." does not requires kernel patch, but is there some issue ? (Ex: performance, or others ?) I would appreciate it if I can get some information. Thank you ! -- (Nihon F-Secure Corporation) Yoshioka Tsuneo E-MAIL: Tsuneo.Yoshioka@f-secure.com
Hi,
On Friday 12 January 2007 06:10, Yoshioka Tsuneo wrote:
When I tried to listen proxy using tproxy like following, it does not work to be intented. Structure: Client <===> Proxy <===> Server
1. On Proxy, listen on the port 9999. 2. On Proxy, assign Server:2000 using TPROXY_ASSIGN, and set ITP_LISTEN flag. 3. Client connect to Server:2000. 4. Proxy steal connection using tproxy.(using ITP_LISTEN) 5. Proxy connect to Server:2000.
On "4.", Proxy should connect server:2000 on "4.". But, actually, proxy connect to Proxy:9999.
This is probably because TProxy cannot differentiate between incoming and outgoing traffic, and when you try to connect to server:2000 that connection also gets stolen.
Try something like this instead:
1. Proxy listens on port 9999 2. Instead of assigning server:2000 on the listener, add an iptables rule: iptables -t tproxy -A PREROUTING -s client_net/mask -d server \ -p tcp --dport 2000 -j TPROXY --on-port 9999
The difference here is that this rule does not apply to locally generated traffic, therefore your connection from the proxy to the server won't get caught. The rest of the process should be OK.
-- Regards, Krisztian Kovacs _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
participants (2)
-
KOVACS Krisztian
-
Yoshioka Tsuneo