Hi I thought some more info might be helpful for someone following this thread. In my code, when I call "setsockopt" to set the TPROXY_ASSIGN and TPROXY_FLAGS options, I get an error. Please see the code below. Any ideas why this might be? Also, if I set the local address port to 0 or the foreign address port to 0, how does that matter? IN other words, how important is the port assignment? thanks in advance Jojy ##### Code Begins ######################### struct in_tproxy itp; struct sockaddr_in sin; itp.op = TPROXY_VERSION; itp.v.version = 0x02000000; if(setsockopt(handle,SOL_IP,IP_TPROXY,&itp,sizeof(itp)) == -1 ) { __log(LOG_ERROR, L"Error Setting version"); } sin.sin_family=AF_INET; inet_aton("192.168.1.74", &sin.sin_addr); sin.sin_port=htons(9999); if(bind(handle, (struct sockaddr*)&sin, sizeof(sin)) == -1) { __log(LOG_ERROR, L"Error Binding"); } itp.op = TPROXY_ASSIGN; inet_aton("192.168.1.75", (struct in_addr *)&itp.v.addr.faddr); itp.v.addr.fport=htons(2000); if(setsockopt(handle,SOL_IP,IP_TPROXY,&itp,sizeof(itp)) == -1 ) { __log(LOG_ERROR, L"Error Setting Assign Option "); } itp.op = TPROXY_FLAGS; itp.v.flags = ITP_CONNECT; if(setsockopt(handle,SOL_IP,IP_TPROXY,&itp,sizeof(itp)) == -1 ) { __log(LOG_ERROR, L"Error Setting Flags Option "); } // Code to connect follows ### Code ends #### #### Message: 1 Date: Mon, 13 Aug 2007 10:13:15 +0200 From: Laszlo Attila Toth <panther@balabit.hu> Subject: Re: [tproxy] TPROXY + Cisco Firewall To: tproxy@lists.balabit.hu Message-ID: <200708131013.16001.panther@balabit.hu> Content-Type: text/plain; charset="utf-8" On Sunday 12 August 2007 00.28.07 Jojy Varghese wrote:
Hi all 3. I have verified my changes by creating a REDIRECTION rule in the tproxy chain (can list my iptable changes by doing "iptables -t tproxy -L")
Hello, For instance a client try to connect to a webserver somewhere on the Internet listening on port 80, and your proxy is listening on port 50080. The iptables rule that redirects packets to that port is the following: iptables -t tproxy -p tcp --dport 80 -j TPROXY --on-port 50080 The next one is to allow incomming traffic on that port. Because the TPROXY target marks the packet, the following rule accepts these packets: iptables -t filter -A INPUT -m tproxy -j ACCEPT A tutorial is available here: http://www.balabit.hu/network-security/zorp-gateway/gpl/tutorial/ -- Regards, Laszlo Attila Toth ------------------------------ _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy End of tproxy Digest, Vol 26, Issue 11 ************************************** Shape Yahoo! in your own image. Join our Network Research Panel today! ____________________________________________________________________________________ Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
Hello, You use an old version of TProxy. Is there any reason for that? TProxy4 is stable, there is an iptables patch for svn version r7008 - which is partially ported to xtables by Jan. Check TProxy 4.0.1 for these patches. Jojy Varghese írta:
Hi I thought some more info might be helpful for someone following this thread. In my code, when I call "setsockopt" to set the TPROXY_ASSIGN and TPROXY_FLAGS options, I get an error. Please see the code below. Any ideas why this might be? Also, if I set the local address port to 0 or the foreign address port to 0, how does that matter? IN other words, how important is the port assignment?
thanks in advance Jojy
##### Code Begins ######################### struct in_tproxy itp; struct sockaddr_in sin;
itp.op = TPROXY_VERSION; itp.v.version = 0x02000000; if(setsockopt(handle,SOL_IP,IP_TPROXY,&itp,sizeof(itp)) == -1 ) { __log(LOG_ERROR, L"Error Setting version"); }
sin.sin_family=AF_INET; inet_aton("192.168.1.74", &sin.sin_addr); sin.sin_port=htons(9999);
if(bind(handle, (struct sockaddr*)&sin, sizeof(sin)) == -1) { __log(LOG_ERROR, L"Error Binding"); }
itp.op = TPROXY_ASSIGN; inet_aton("192.168.1.75", (struct in_addr *)&itp.v.addr.faddr); itp.v.addr.fport=htons(2000);
if(setsockopt(handle,SOL_IP,IP_TPROXY,&itp,sizeof(itp)) == -1 ) { __log(LOG_ERROR, L"Error Setting Assign Option "); } itp.op = TPROXY_FLAGS; itp.v.flags = ITP_CONNECT;
if(setsockopt(handle,SOL_IP,IP_TPROXY,&itp,sizeof(itp)) == -1 ) { __log(LOG_ERROR, L"Error Setting Flags Option "); }
// Code to connect follows
### Code ends ####
-- Panther
On Aug 16 2007 09:20, Laszlo Attila Toth wrote:
Hello,
You use an old version of TProxy. Is there any reason for that? TProxy4 is stable, there is an iptables patch for svn version r7008 - which is partially ported to xtables by Jan. Check TProxy 4.0.1 for these patches.
It is full ported. Jan --
Jan Engelhardt írta:
On Aug 16 2007 09:20, Laszlo Attila Toth wrote:
Hello,
You use an old version of TProxy. Is there any reason for that? TProxy4 is stable, there is an iptables patch for svn version r7008 - which is partially ported to xtables by Jan. Check TProxy 4.0.1 for these patches.
It is full ported.
Jan
I mean: I used only your xt_TPROXY patch as libxt_TPROXY.c because libxt_tpoxy.c wasn't in it. Perhaps I missed something :( -- Panther
On Aug 16 2007 11:13, Laszlo Attila Toth wrote:
Jan Engelhardt írta:
On Aug 16 2007 09:20, Laszlo Attila Toth wrote:
Hello,
You use an old version of TProxy. Is there any reason for that? TProxy4 is stable, there is an iptables patch for svn version r7008 - which is partially ported to xtables by Jan. Check TProxy 4.0.1 for these patches.
It is full ported.
I mean: I used only your xt_TPROXY patch as libxt_TPROXY.c because libxt_tpoxy.c wasn't in it. Perhaps I missed something :(
Ah that's because there was no xt_tproxy (match) in Krisztian's last snapshot. Jan --
participants (3)
-
Jan Engelhardt
-
Jojy Varghese
-
Laszlo Attila Toth