A general question on xt_socket
Hi all, A general question: Say I have the following rules configured: +++++++++++++++++++++++++++++ iptables -t mangle -N DIVERT iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x1 iptables -t mangle -A DIVERT -j ACCEPT ++++++++++++++++++++++++++++++++++++ In which case can the tcp packets go without hitting the rule "iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT"? -- Regards, Arun S.
On Tue, 2008-10-28 at 18:22 +0530, Arun Srinivasan wrote:
Hi all,
A general question:
Say I have the following rules configured:
+++++++++++++++++++++++++++++ iptables -t mangle -N DIVERT iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x1 iptables -t mangle -A DIVERT -j ACCEPT ++++++++++++++++++++++++++++++++++++
In which case can the tcp packets go without hitting the rule "iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT"?
if there's no applicable local socket to the packet in question, then -m socket will not match. a socket is applicable if the associated tuple (local ip:port, remote ip:port) matches the packet. related ICMP packets also match. -- Bazsi
Does this mean, there is an appropriate listening socket in the user space? Apart from IP_TRANSPARENT for the socket option, is there any thing else to be done before binding a socket? TIA 2008/10/29 Balazs Scheidler <bazsi@balabit.hu>:
On Tue, 2008-10-28 at 18:22 +0530, Arun Srinivasan wrote:
Hi all,
A general question:
Say I have the following rules configured:
+++++++++++++++++++++++++++++ iptables -t mangle -N DIVERT iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x1 iptables -t mangle -A DIVERT -j ACCEPT ++++++++++++++++++++++++++++++++++++
In which case can the tcp packets go without hitting the rule "iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT"?
if there's no applicable local socket to the packet in question, then -m socket will not match.
a socket is applicable if the associated tuple (local ip:port, remote ip:port) matches the packet.
related ICMP packets also match.
-- Bazsi
-- Regards, Arun S.
On Wed, 2008-10-29 at 20:57 +0530, Arun Srinivasan wrote:
Does this mean, there is an appropriate listening socket in the user space?
not necessarily listening socket, but yes. a socket that is bound to the same address as the destination of the incoming packet.
Apart from IP_TRANSPARENT for the socket option, is there any thing else to be done before binding a socket?
no.
TIA
2008/10/29 Balazs Scheidler <bazsi@balabit.hu>:
On Tue, 2008-10-28 at 18:22 +0530, Arun Srinivasan wrote:
Hi all,
A general question:
Say I have the following rules configured:
+++++++++++++++++++++++++++++ iptables -t mangle -N DIVERT iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x1 iptables -t mangle -A DIVERT -j ACCEPT ++++++++++++++++++++++++++++++++++++
In which case can the tcp packets go without hitting the rule "iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT"?
if there's no applicable local socket to the packet in question, then -m socket will not match.
a socket is applicable if the associated tuple (local ip:port, remote ip:port) matches the packet.
related ICMP packets also match.
-- Bazsi
-- Bazsi
Thank you. Currently am facing an issue.. dunno if it is an issue. please clarify. In a Linux box with tproxy4 (tproxy4-2.6.26-200809262032), I have two proxies, proxy-1 listening on port x and proxy-2 on port y. With the tproxy rules (tproxy-mark, -m socket, and policy routing), I could redirect the incoming traffic to proxy-1 that listens on port x. However, the request from proxy-1 could not be redirected to proxy-2. The second redirection from proxy-1 from proxy-2 is attempted through NAT - OUTPUT rule. The configured rules are given below: ++++++++++++ FOR PROXY-1 +++++++++++++++ iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port <proxy-1 port> --tproxy-mark 0x1/0x1 ip rule add fwmark 0x1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -N DIVERT iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x1 iptables -t mangle -A DIVERT -j ACCEPT +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++ FOR PROXY-2 +++++++++++++++++++++++++++++++++++++ iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to <Interface IP>:<proxy-2 port> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The rule for proxy-2 makes only the TCP-SYN packet from proxy-1 to be redirected. Three-way handshake is not successful. Am I missing out anything or is this the intended behavior? Thank you. Regards, Arun S. 2008/10/29 Balazs Scheidler <bazsi@balabit.hu>:
On Wed, 2008-10-29 at 20:57 +0530, Arun Srinivasan wrote:
Does this mean, there is an appropriate listening socket in the user space?
not necessarily listening socket, but yes. a socket that is bound to the same address as the destination of the incoming packet.
Apart from IP_TRANSPARENT for the socket option, is there any thing else to be done before binding a socket?
no.
TIA
2008/10/29 Balazs Scheidler <bazsi@balabit.hu>:
On Tue, 2008-10-28 at 18:22 +0530, Arun Srinivasan wrote:
Hi all,
A general question:
Say I have the following rules configured:
+++++++++++++++++++++++++++++ iptables -t mangle -N DIVERT iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x1 iptables -t mangle -A DIVERT -j ACCEPT ++++++++++++++++++++++++++++++++++++
In which case can the tcp packets go without hitting the rule "iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT"?
if there's no applicable local socket to the packet in question, then -m socket will not match.
a socket is applicable if the associated tuple (local ip:port, remote ip:port) matches the packet.
related ICMP packets also match.
-- Bazsi
-- Bazsi
-- Regards, Arun S.
On Thu, 2008-10-30 at 01:24 +0530, Arun Srinivasan wrote:
Thank you.
Currently am facing an issue.. dunno if it is an issue. please clarify.
In a Linux box with tproxy4 (tproxy4-2.6.26-200809262032), I have two proxies, proxy-1 listening on port x and proxy-2 on port y.
With the tproxy rules (tproxy-mark, -m socket, and policy routing), I could redirect the incoming traffic to proxy-1 that listens on port x. However, the request from proxy-1 could not be redirected to proxy-2.
The second redirection from proxy-1 from proxy-2 is attempted through NAT - OUTPUT rule.
The configured rules are given below: ++++++++++++ FOR PROXY-1 +++++++++++++++ iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port <proxy-1 port> --tproxy-mark 0x1/0x1 ip rule add fwmark 0x1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N DIVERT iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x1 iptables -t mangle -A DIVERT -j ACCEPT +++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++ FOR PROXY-2 +++++++++++++++++++++++++++++++++++++ iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to <Interface IP>:<proxy-2 port> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The rule for proxy-2 makes only the TCP-SYN packet from proxy-1 to be redirected. Three-way handshake is not successful.
Am I missing out anything or is this the intended behavior?
This DNAT is a different matter, it has no connection to tproxy. Please check where the SYN-ACK is going (via tcpdump), it should be properly NAT-ed both ways. Please check the conntrack table whether the appriopriate NAT mapping is there. -- Bazsi
Yes. I verified that. Also fy/i, when I enable simplex transparency (only to the client), proxy-1 to proxy-2 communication is successful. Find below the rules used for this scenario: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to <proxy-1 port> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to <intf-ip>:<proxy2-port> With tproxy-mark enabled, am not able to achieve this. Also it was observed that the conntrack state for the OUTPUT-NAT immediately gets into CLOSE state as shown below. ipv4 2 tcp 6 8 CLOSE src=<client-IP> dst=<web_server-IP> sport=61000 dport=80 packets=3 bytes=140 src=<intf-ip> dst=<client-IP> sport=<proxy2-port> dport=61000 packets=1 bytes=60 mark=0 secmark=0 use=1 I doubt if it has got something to do with policy routing and the socket match. 2008/10/30 Balazs Scheidler <bazsi@balabit.hu>:
On Thu, 2008-10-30 at 01:24 +0530, Arun Srinivasan wrote:
Thank you.
Currently am facing an issue.. dunno if it is an issue. please clarify.
In a Linux box with tproxy4 (tproxy4-2.6.26-200809262032), I have two proxies, proxy-1 listening on port x and proxy-2 on port y.
With the tproxy rules (tproxy-mark, -m socket, and policy routing), I could redirect the incoming traffic to proxy-1 that listens on port x. However, the request from proxy-1 could not be redirected to proxy-2.
The second redirection from proxy-1 from proxy-2 is attempted through NAT - OUTPUT rule.
The configured rules are given below: ++++++++++++ FOR PROXY-1 +++++++++++++++ iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port <proxy-1 port> --tproxy-mark 0x1/0x1 ip rule add fwmark 0x1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N DIVERT iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x1 iptables -t mangle -A DIVERT -j ACCEPT +++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++ FOR PROXY-2 +++++++++++++++++++++++++++++++++++++ iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to <Interface IP>:<proxy-2 port> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The rule for proxy-2 makes only the TCP-SYN packet from proxy-1 to be redirected. Three-way handshake is not successful.
Am I missing out anything or is this the intended behavior?
This DNAT is a different matter, it has no connection to tproxy. Please check where the SYN-ACK is going (via tcpdump), it should be properly NAT-ed both ways.
Please check the conntrack table whether the appriopriate NAT mapping is there.
-- Bazsi
-- Regards, Arun S.
Any updates/pointers on this? 2008/10/31 Arun Srinivasan <hi2arun@gmail.com>:
Yes. I verified that.
Also fy/i, when I enable simplex transparency (only to the client), proxy-1 to proxy-2 communication is successful. Find below the rules used for this scenario:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to <proxy-1 port> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to <intf-ip>:<proxy2-port>
With tproxy-mark enabled, am not able to achieve this. Also it was observed that the conntrack state for the OUTPUT-NAT immediately gets into CLOSE state as shown below.
ipv4 2 tcp 6 8 CLOSE src=<client-IP> dst=<web_server-IP> sport=61000 dport=80 packets=3 bytes=140 src=<intf-ip> dst=<client-IP> sport=<proxy2-port> dport=61000 packets=1 bytes=60 mark=0 secmark=0 use=1
I doubt if it has got something to do with policy routing and the socket match.
2008/10/30 Balazs Scheidler <bazsi@balabit.hu>:
On Thu, 2008-10-30 at 01:24 +0530, Arun Srinivasan wrote:
Thank you.
Currently am facing an issue.. dunno if it is an issue. please clarify.
In a Linux box with tproxy4 (tproxy4-2.6.26-200809262032), I have two proxies, proxy-1 listening on port x and proxy-2 on port y.
With the tproxy rules (tproxy-mark, -m socket, and policy routing), I could redirect the incoming traffic to proxy-1 that listens on port x. However, the request from proxy-1 could not be redirected to proxy-2.
The second redirection from proxy-1 from proxy-2 is attempted through NAT - OUTPUT rule.
The configured rules are given below: ++++++++++++ FOR PROXY-1 +++++++++++++++ iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port <proxy-1 port> --tproxy-mark 0x1/0x1 ip rule add fwmark 0x1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N DIVERT iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x1 iptables -t mangle -A DIVERT -j ACCEPT +++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++ FOR PROXY-2 +++++++++++++++++++++++++++++++++++++ iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to <Interface IP>:<proxy-2 port> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The rule for proxy-2 makes only the TCP-SYN packet from proxy-1 to be redirected. Three-way handshake is not successful.
Am I missing out anything or is this the intended behavior?
This DNAT is a different matter, it has no connection to tproxy. Please check where the SYN-ACK is going (via tcpdump), it should be properly NAT-ed both ways.
Please check the conntrack table whether the appriopriate NAT mapping is there.
-- Bazsi
-- Regards, Arun S.
-- Regards, Arun S.
participants (2)
-
Arun Srinivasan
-
Balazs Scheidler