Re: [tproxy] tproxy development version 1.1.3
Hi Krisztian, So does this interaction with the NAT tables explain why IP masquerade rules are being ignored when a connection is tproxied? I wonder if there is a good way around that? Thanks! Tim __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
On Mon, Nov 03, 2003 at 10:58:40PM -0800, Tim Burress wrote:
Hi Krisztian,
So does this interaction with the NAT tables explain why IP masquerade rules are being ignored when a connection is tproxied? I wonder if there is a good way around that?
definitely, if you have a matching TPROXY rule it will never even enter the NAT table. What do you want to accomplish? If a TPROXY rule is matched the connection will be processed by a userspace proxy, there's no point in masquerading. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Hello! As an example, consider a firewall machine with interfaces to the usual public, DMZ, and local networks. Proxy programs are used to monitor traffic like SMTP or POP to scan for viruses and other undesirables. The original proxy code used REDIRECT rules to intercept connections, and opened independent sessions between the client-proxy and proxy-server. Just what you'd expect, but without tproxy it is not transparent, and this causes application layer problems. So we add tproxy, and inbound SMTP works like a charm. The internal server sees the connection as if it originated from the actual client, which is just what we'd hoped for. The trouble comes with outgoing SMTP from the local network. If these hosts use private addresses, then when tproxy is used, the outside server sees the traffic as originating from the unroutable private address, which would normally have been masqueraded at the firewall. As a result, all outbound connections fail. One solution would be to modify the proxy so that it decides whether to be transparent or not based on the direction of traffic, and that would work fine in fixed, simple cases, but since firewall rules can become arbitrarily complex, it seems like it would be better to find a solution within iptables. One idea might be to incorporate the TPROXY rules into the existing NAT chains, so that transparency could be invoked or not depending on the order in which the rules appeared. You could mix REDIRECT, TPROXY, and other NAT rules as needed in order to produce the desired behavior. As it is, tproxy always takes precedence, which eliminates a lot of control, especially in complex networks. I realize you went to a lot of trouble to keep the tproxy rules separated, so I wondered if you had a better workaround for this kind of situation? Thanks! Tim --- Balazs Scheidler <bazsi@balabit.hu> wrote:
On Mon, Nov 03, 2003 at 10:58:40PM -0800, Tim Burress wrote:
Hi Krisztian,
So does this interaction with the NAT tables explain why IP masquerade rules are being ignored when a connection is tproxied? I wonder if there is a good way around that?
definitely, if you have a matching TPROXY rule it will never even enter the NAT table. What do you want to accomplish? If a TPROXY rule is matched the connection will be processed by a userspace proxy, there's no point in masquerading.
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
__________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
Hi, Tim Burress wrote:
One solution would be to modify the proxy so that it decides whether to be transparent or not based on the direction of traffic, and that would work fine in fixed, simple cases, but since firewall rules can become arbitrarily complex, it seems like it would be better to find a solution within iptables. One idea might be to incorporate the TPROXY rules into the existing NAT chains, so that transparency could be invoked or not depending on the order in which the rules appeared. You could mix REDIRECT, TPROXY, and other NAT rules as needed in order to produce the desired behavior. As it is, tproxy always takes precedence, which eliminates a lot of control, especially in complex networks.
So, to summarize: you have such a config that the firewall does SNAT only part of the traffic, packets coming from routable IP addresses should be left intact. However, your proxy tries to forge original sender addresses, and because of when tproxy is used, the NAT table is not consulted, the private IPs of the non-routable subnet are forwarded. Unfortunately, as Balazs already pointed out, using MASQ and tproxy does not mix, and it won't help if you move your TPROXY rules to anywhere. The 'tproxy' iptables table is only part of the game, but tproxy _does_ apply NAT mapping even when that table is completely empty, but you have assigned a foreign address from your proxy software (using setsockopt). In fact, in the tproxy hook, the 'tproxy' table is consulted only if such an assigned address is not found for the socket. And once tproxy has assigned a mapping for the connection, the 'nat' table (which is checked after tproxy has done its work) is not traversed at all. What could the solution be? Currently I don't see an easy solution for modifying tproxy to be able to do MASQ also, so your problem should be worked around on a userspace level. But instead of proxy-level logic to decide if you have need transparency, you could classify your traffic using iptables rules, and forward the routable and non-routable part to two separate proxies. The traffic coming from routable addresses should be processed by the transparent proxy, all other traffic should go the the not transparent one. (I really don't know your environment, but I can't currently think of a problem why you couldn't run more instances of your proxy with different configuration.) This way, the decision layer for transparency is in your iptables ruleset, and apart from having to run two sets of proxies, I think it's a rather straightforward configuration. (And, it's a cleaner solution, since you don't do address manipulation twice: once to change the local source address to the original source, and then to change the original to the NAT-ted...) Of course, separating the proxy and the packet filter machine could also solve your problem... -- Regards, Krisztian KOVACS
Balazs and Krisztian, Thanks very much for these informative replies. Sometimes it's just good to make sure there is no immediate solution before trying to work around, and you've clarified some confusion I had about netfilter as well. Thanks! Tim __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
participants (3)
-
Balazs Scheidler
-
KOVACS Krisztian
-
Tim Burress