Hello All, Even the listen socket needs to have to setsockopt(IP_TRANSPARENT). I missed that, I was doing it only for the backend connecting socket. Thanks -- Pranav On Mon, Mar 2, 2009 at 12:16 PM, Pranav Desai <pranavadesai@gmail.com> wrote:

Hello All,

I am having some trouble redirecting port 80 traffic to 8080 using tproxy for transparent proxying. The SYNs come in but there is no SYN-ACK going out. the iptables -L do show the rules being matched.

tcpdump output -------------------- # tcpdump -nn -i eth1 port 8080 or port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

12:12:30.973583 IP 13.1.1.1.34879 > 172.16.55.205.80: S 2941026950:2941026950(0) win 5840 <mss 1460,sackOK,timestamp 3948186312 0,nop,wscale 7> 12:12:33.974329 IP 13.1.1.1.34879 > 172.16.55.205.80: S 2941026950:2941026950(0) win 5840 <mss 1460,sackOK,timestamp 3948189312 0,nop,wscale 7>

Kernel (with tproxy enabled) and Iptables Version -------------------------------------------------------------- # iptables -V iptables v1.4.3-rc1 # uname -a Linux dev 2.6.28.3 #1 SMP Sun Mar 1 23:13:20 PST 2009 x86_64 x86_64 x86_64 GNU/Linux

I am only trying to get the first step of redirection working.

Are these instructions in the README enough, or do I need any thing else ? <instructions>    iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port <proxyport>  --tproxy-mark 0x1/0x1

   ip rule add fwmark 1 lookup 100    ip route add local 0.0.0.0/0 dev lo table 100 </instructions>

I do have 2 interfaces, does that have anything to do with the problem ?

I have even tried with the other mangle rules (the rules for socket match) given in the README, but still no difference. I have given some details below, but let me know if you need any other details.

Thanks -- Pranav

mangle table (nat and filter table are empty) -------------------------------------------------------- Chain PREROUTING (policy ACCEPT 31132 packets, 2279K bytes)  pkts bytes target     prot opt in     out     source destination    3   180 TPROXY     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1

Chain INPUT (policy ACCEPT 33779 packets, 2304K bytes)  pkts bytes target     prot opt in     out     source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source destination

Chain OUTPUT (policy ACCEPT 36335 packets, 35M bytes)  pkts bytes target     prot opt in     out     source destination

Chain POSTROUTING (policy ACCEPT 36355 packets, 35M bytes)  pkts bytes target     prot opt in     out     source destination

Chain DIVERT (0 references)  pkts bytes target     prot opt in     out     source destination

Here are my ip rule and route setting --------------------------------------------- # ip rule ls 0:      from all lookup 255 32765:  from all fwmark 0x1 lookup 100 32766:  from all lookup main 32767:  from all lookup default

# ip route ls table 100 local default dev lo  scope host

Here are my modules. --------------------------- # lsmod | egrep "xt|nf" [root@vcadev httpd]# ip rule ls xt_TPROXY               2944  1 xt_socket               3264  0 nf_tproxy_core          3200  2 xt_TPROXY,xt_socket,[permanent] xt_MARK                 3456  0 nf_nat                 18580  2 ipt_REDIRECT,iptable_nat nf_conntrack_ipv4      14680  3 iptable_nat,nf_nat nf_conntrack           58984  4 xt_socket,iptable_nat,nf_nat,nf_conntrack_ipv4 nf_defrag_ipv4          2560  3 xt_TPROXY,xt_socket,nf_conntrack_ipv4