[tproxy] Both session stealing and src spoofing.(Proxy-Firewall)

Yoshioka Tsuneo tsuneo.yoshioka@f-secure.com
Thu, 19 Jun 2003 17:09:56 +0900


Thank you very much for releasing nice software.
I am trying to build proxy-firewall on Linux like Firewall-1.

On tproxy README documents, I can read following descriptions.
    1. Redirect sessions destined to the outer network to a local process
       using a packet filter rule.
    3. Make it possible for a process to initiate a connection with a
       foreign address as a source.

Item #1 can easiliy be done like following by using iptables NAT
redirect with normal linux2.4 kernel.
  # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

And, I have also confirmed #3 can be done by using tproxy like following.
  itp.itp_faddr = client_sin.sin_addr;
  itp.itp_faddr = client_sin.sin_port;
  setsockopt(s, SOL_IP, IP_TPROXY_ASSIGN, &itp, sizeof(itp));
  setsockopt(s, SOL_IP, IP_TPROXY_FLAGS, &(flags=ITP_CONNECT), sizeof(flags));

But when I am tying to do proxy using both #1 and #3 at the same time, it does not work.
After building proxy-server connection, client-proxy NAT table does not
work and source port of the packet from proxy to client is not
I have also tested using squid with patch(squid-2.5-tproxy-03.diff) of
following URL, but the same problem was happened.

I have tested with cttproxy-2.4.20-14.

Is there any hint to solve this problem ?

Thank you.

Yoshioka Tsuneo
E-MAIL: Tsuneo.Yoshioka@f-secure.com