Hi, I'm trying to redirect all IPv6 traffic entering eth0 on port 80 to a locally running proxy server. But for some reason, the remote client gets only a connection timeout. I do see traffic entering eth0 to port 80, but nothing happens. This is what I did : ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local ::/0 dev lo table 100 ip6tables -t mangle -N DIVERT ip6tables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff ip6tables -t mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128 Any ideas why it doesn't actually connect to port 3128 ? I tried using --on-ip as well, but no difference. Thanks for any help ! Wim
I have used this concept with success for a UDP-based application: # IPv6 ip6tables -t mangle -A PREROUTING -i eth0 -p udp --dport 4342 -j TPROXY --tproxy-mark 0x2/0x3 --on-port 4342 ip -6 rule add fwmark 2 lookup 6 ip -6 route add local ::/0 dev eth0 table 6 I didn't go through your rules thoroughly but in your "ip route" instruction, wouldn't you need to specify the dev as eth0? Ramin On Tue, Apr 10, 2012 at 9:32 AM, WG <tproxy@wim.email.be> wrote:
Hi,
I'm trying to redirect all IPv6 traffic entering eth0 on port 80 to a locally running proxy server. But for some reason, the remote client gets only a connection timeout. I do see traffic entering eth0 to port 80, but nothing happens.
This is what I did : ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local ::/0 dev lo table 100 ip6tables -t mangle -N DIVERT ip6tables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff ip6tables -t mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128
Any ideas why it doesn't actually connect to port 3128 ? I tried using --on-ip as well, but no difference.
Thanks for any help !
Wim
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
-- Ramin
Hi, On 04/10/2012 03:32 PM, WG wrote:
I'm trying to redirect all IPv6 traffic entering eth0 on port 80 to a locally running proxy server. But for some reason, the remote client gets only a connection timeout. I do see traffic entering eth0 to port 80, but nothing happens.
This is what I did : ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local ::/0 dev lo table 100 ip6tables -t mangle -N DIVERT ip6tables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff ip6tables -t mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128
Any ideas why it doesn't actually connect to port 3128 ? I tried using --on-ip as well, but no difference.
Your rules look OK -- have you tried running netstat -s and see which counters are increasing? Or maybe using the Netfilter TRACE target to trace your packets through your iptables rules. Also, you didn't state which version of the kernel you're trying to use. Cheers, Krisztian
Hi, The strange thing is that, if I type all those commands, as soon as I type the last one I can't connect to the server running on port 3128 remotely anymore, not even on the direct IP. I'm running Linux kernel 3.3.2 (previously tried with 2.6.34). Any suggestions most welcome... Kind regards, Wim KOVACS Krisztian wrote:
Hi,
On 04/10/2012 03:32 PM, WG wrote:
I'm trying to redirect all IPv6 traffic entering eth0 on port 80 to a locally running proxy server. But for some reason, the remote client gets only a connection timeout. I do see traffic entering eth0 to port 80, but nothing happens.
This is what I did : ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local ::/0 dev lo table 100 ip6tables -t mangle -N DIVERT ip6tables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff ip6tables -t mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128
Any ideas why it doesn't actually connect to port 3128 ? I tried using --on-ip as well, but no difference.
Your rules look OK -- have you tried running netstat -s and see which counters are increasing? Or maybe using the Netfilter TRACE target to trace your packets through your iptables rules.
Also, you didn't state which version of the kernel you're trying to use.
Cheers, Krisztian
.
Hi - What proxy do u use? Is IP_TRANSPARENT enabled on the socket that you listening on? R, Arun On 18 April 2012 22:48, WG <tproxy@wim.email.be> wrote:
Hi,
The strange thing is that, if I type all those commands, as soon as I type the last one I can't connect to the server running on port 3128 remotely anymore, not even on the direct IP.
I'm running Linux kernel 3.3.2 (previously tried with 2.6.34).
Any suggestions most welcome...
Kind regards,
Wim
KOVACS Krisztian wrote:
Hi,
On 04/10/2012 03:32 PM, WG wrote:
I'm trying to redirect all IPv6 traffic entering eth0 on port 80 to a locally running proxy server. But for some reason, the remote client gets only a connection timeout. I do see traffic entering eth0 to port 80, but nothing happens.
This is what I did : ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local ::/0 dev lo table 100 ip6tables -t mangle -N DIVERT ip6tables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff ip6tables -t mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128
Any ideas why it doesn't actually connect to port 3128 ? I tried using --on-ip as well, but no difference.
Your rules look OK -- have you tried running netstat -s and see which counters are increasing? Or maybe using the Netfilter TRACE target to trace your packets through your iptables rules.
Also, you didn't state which version of the kernel you're trying to use.
Cheers, Krisztian
.
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
-- Regards, Arun S.
participants (4)
-
KOVACS Krisztian
-
Ramin Dousti
-
WG
-
Ä╔╘╛Ñ Ä╔╘╛Ñ