Hi, * *I want to write a full transparency proxy too. Squid and haproxy are so complicated that i can't quickly understand how tproxy works. And I am new to iptables. If there is a sample peace of code which is simple, I think it would be helpful. I wrote some code which failed at initiating connections with a foreign address as a source. The reason is timeout while attempting connection. Where am I wrong? Thanks. My code: #define NON_LOCAL_IP "192.168.111.23" #define NON_LOCAL_PORT 2000 int sockfd = socket(AF_INET, SOCK_STREAM, 0); memset (&non_local_addr, 0, sizeof(non_local_addr)); non_local_addr.sin_family = AF_INET; dst_addr.sin_addr.s_addr = inet_addr(NON_LOCAL_IP); inet_pton(AF_INET, NON_LOCAL_IP, &non_local_addr.sin_addr); non_local_addr.sin_port = htons(NON_LOCAL_PORT); setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &optvalue, sizeof(optvalue)); setsockopt(sockfd, SOL_IP, IP_TRANSPARENT, &optvalue, sizeof(optvalue)); bind(sockfd, (struct sockaddr *)&non_local_addr, sizeof(non_local_addr)); memset(&dst_addr, 0, sizeof(dst_addr)); dst_addr.sin_family = AF_INET; dst_addr.sin_addr.s_addr = inet_addr("192.168.1.1"); dst_addr.sin_port = htons(80); connect(sockfd, (struct sockaddr *) &dst_addr, sizeof(dst_addr)); // ETIMEOUT
On Mon, 2011-05-02 at 19:42 +0800, 文剑 wrote:
Hi,
I want to write a full transparency proxy too.
Squid and haproxy are so complicated that i can't quickly understand how tproxy works. And I am new to iptables. If there is a sample peace of code which is simple, I think it would be helpful.
I wrote some code which failed at initiating connections with a foreign address as a source. The reason is timeout while attempting connection. Where am I wrong?
Thanks.
My code:
#define NON_LOCAL_IP "192.168.111.23" #define NON_LOCAL_PORT 2000
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
memset (&non_local_addr, 0, sizeof(non_local_addr)); non_local_addr.sin_family = AF_INET; dst_addr.sin_addr.s_addr = inet_addr(NON_LOCAL_IP); inet_pton(AF_INET, NON_LOCAL_IP, &non_local_addr.sin_addr); non_local_addr.sin_port = htons(NON_LOCAL_PORT);
setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &optvalue, sizeof(optvalue)); setsockopt(sockfd, SOL_IP, IP_TRANSPARENT, &optvalue, sizeof(optvalue)); bind(sockfd, (struct sockaddr *)&non_local_addr, sizeof(non_local_addr));
memset(&dst_addr, 0, sizeof(dst_addr)); dst_addr.sin_family = AF_INET; dst_addr.sin_addr.s_addr = inet_addr("192.168.1.1"); dst_addr.sin_port = htons(80);
connect(sockfd, (struct sockaddr *) &dst_addr, sizeof(dst_addr)); // ETIMEOUT
are you sure the reverse direction is routed back through your box? that is needed for tproxy to pick up packets. e.g. the server should route client destined packets using your box as a gateway. -- Bazsi
I added a static route. I found the reason. One of my tp-link device has a bug which quietly ignored my static route configuration. 2011/5/4 Balazs Scheidler <bazsi@balabit.hu>
On Mon, 2011-05-02 at 19:42 +0800, 文剑 wrote:
Hi,
I want to write a full transparency proxy too.
Squid and haproxy are so complicated that i can't quickly understand how tproxy works. And I am new to iptables. If there is a sample peace of code which is simple, I think it would be helpful.
I wrote some code which failed at initiating connections with a foreign address as a source. The reason is timeout while attempting connection. Where am I wrong?
Thanks.
My code:
#define NON_LOCAL_IP "192.168.111.23" #define NON_LOCAL_PORT 2000
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
memset (&non_local_addr, 0, sizeof(non_local_addr)); non_local_addr.sin_family = AF_INET; dst_addr.sin_addr.s_addr = inet_addr(NON_LOCAL_IP); inet_pton(AF_INET, NON_LOCAL_IP, &non_local_addr.sin_addr); non_local_addr.sin_port = htons(NON_LOCAL_PORT);
setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &optvalue, sizeof(optvalue)); setsockopt(sockfd, SOL_IP, IP_TRANSPARENT, &optvalue, sizeof(optvalue)); bind(sockfd, (struct sockaddr *)&non_local_addr, sizeof(non_local_addr));
memset(&dst_addr, 0, sizeof(dst_addr)); dst_addr.sin_family = AF_INET; dst_addr.sin_addr.s_addr = inet_addr("192.168.1.1"); dst_addr.sin_port = htons(80);
connect(sockfd, (struct sockaddr *) &dst_addr, sizeof(dst_addr)); // ETIMEOUT
are you sure the reverse direction is routed back through your box? that is needed for tproxy to pick up packets.
e.g. the server should route client destined packets using your box as a gateway.
-- Bazsi
participants (2)
-
Balazs Scheidler
-
文剑