[tproxy] Both session stealing and src spoofing.(Proxy-Firewall)

Balazs Scheidler bazsi@balabit.hu
Thu, 19 Jun 2003 13:40:29 +0200


On Thu, Jun 19, 2003 at 05:09:56PM +0900, Yoshioka Tsuneo wrote:
> Hello
> 
> Thank you very much for releasing nice software.
> I am trying to build proxy-firewall on Linux like Firewall-1.
> 
> On tproxy README documents, I can read following descriptions.
>     1. Redirect sessions destined to the outer network to a local process
>        using a packet filter rule.
>     3. Make it possible for a process to initiate a connection with a
>        foreign address as a source.
> 
> Item #1 can easiliy be done like following by using iptables NAT
> redirect with normal linux2.4 kernel.
>   # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
> 
> And, I have also confirmed #3 can be done by using tproxy like following.
>   itp.itp_faddr = client_sin.sin_addr;
>   itp.itp_faddr = client_sin.sin_port;
>   setsockopt(s, SOL_IP, IP_TPROXY_ASSIGN, &itp, sizeof(itp));
>   setsockopt(s, SOL_IP, IP_TPROXY_FLAGS, &(flags=ITP_CONNECT), sizeof(flags));
> 
> But when I am tying to do proxy using both #1 and #3 at the same time, it does not work.
> After building proxy-server connection, client-proxy NAT table does not
> work and source port of the packet from proxy to client is not
> transfered.
> I have also tested using squid with patch(squid-2.5-tproxy-03.diff) of
> following URL, but the same problem was happened.
>   http://www.scaramanga.co.uk/
> 
> I have tested with cttproxy-2.4.20-14.
> 
> Is there any hint to solve this problem ?

If I understand correctly what you mean here, it is not currently possible
as the tuple of the connection must be unique.

The tuple includes source address, source port, destination address,
destination port. The incoming connection and the connection on the
server side have the same tuples. Do you really need to also fake the source
port towards the server?

In our experience, choosing a different port dynamically towards the server
causes no problems.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1