Hi, Having to very suddenly (due to hardware failure) upgrade an old 2.4 tproxy box to a stock 2.6 distro kernel box, I was faced with the problem of the upstream 2.6 kernel (and thus, the distro kernel) not supporting tproxy. REDIRECT functionality does work upstream, but TCP source address spoofing can only be achieved with iptables SNAT. So, I implemented a small module that can insert SNAT rules into nat/POSTROUTING, and our proxy (in-house program) now uses that instead of tproxy. This works well for us since we don't need all the other functionality that tproxy provides, but of course, YMMV. I've attached the code we use. It uses libiptc, and may look kind of weird since it was chainsawed from a (much) bigger piece of code, but you'll get the idea. (It flushes and inserts rules in POSTROUTING by default, if that's not appropriate, make a new chain and add a rule to POSTROUTING to jump to that chain.) It's not been tested incredibly extensively, but since the proxy has been processing 4000-5000 concurrent connections at 200-300 connections per second without a hitch for about 12 hours now, it's at least not completely broken. cheers, Lennert
REDIRECT functionality does work upstream, but TCP source address spoofing can only be achieved with iptables SNAT.
SNAT in -t nat -A OUTPUT does not seem to work AFAICR, so you need at least two boxes to implement the SNAT, right? Jan Engelhardt --
On Tue, Jul 11, 2006 at 11:41:14AM +0200, Jan Engelhardt wrote:
REDIRECT functionality does work upstream, but TCP source address spoofing can only be achieved with iptables SNAT.
SNAT in -t nat -A OUTPUT does not seem to work AFAICR, so you need at least two boxes to implement the SNAT, right?
We do it in POSTROUTING and that seems to work fine? cheers, Lennert
REDIRECT functionality does work upstream, but TCP source address spoofing can only be achieved with iptables SNAT.
SNAT in -t nat -A OUTPUT does not seem to work AFAICR, so you need at least two boxes to implement the SNAT, right?
We do it in POSTROUTING and that seems to work fine?
Oh ok. But on the machine where Squid runs (read: my case), the packets squid generates go on OUTPUT. That's why I think you need a second machine: one where packets can possibly go through POSTROUTING. Jan Engelhardt --
On Tue, Jul 11, 2006 at 02:29:18PM +0200, Jan Engelhardt wrote:
REDIRECT functionality does work upstream, but TCP source address spoofing can only be achieved with iptables SNAT.
SNAT in -t nat -A OUTPUT does not seem to work AFAICR, so you need at least two boxes to implement the SNAT, right?
We do it in POSTROUTING and that seems to work fine?
Oh ok. But on the machine where Squid runs (read: my case), the packets squid generates go on OUTPUT. That's why I think you need a second machine: one where packets can possibly go through POSTROUTING.
Packets that go through OUTPUT also go through POSTROUTING, don't they? If they don't, then the setup that I have here cannot possibly work at all :) cheers, Lennert
REDIRECT functionality does work upstream, but TCP source address spoofing can only be achieved with iptables SNAT.
SNAT in -t nat -A OUTPUT does not seem to work AFAICR, so you need at least two boxes to implement the SNAT, right?
We do it in POSTROUTING and that seems to work fine?
Oh ok. But on the machine where Squid runs (read: my case), the packets squid generates go on OUTPUT. That's why I think you need a second machine: one where packets can possibly go through POSTROUTING.
Packets that go through OUTPUT also go through POSTROUTING, don't they?
If they don't, then the setup that I have here cannot possibly work at all :)
Interesting. I wonder if it solves my problem without requiring TPROXY. :) Jan Engelhardt --
participants (2)
-
Jan Engelhardt
-
Lennert Buytenhek