Balazs Scheidler bazsi@balabit.hu
Mon, 5 May 2003 17:21:18 +0200

On Wed, Apr 30, 2003 at 11:21:29PM -0700, Dileep Kumar wrote:
> Hello Bazis,
> A few questions for you:
> The IP table entry (iptables -t tproxy -A PREROUTING  -dest server_addr -j
> TPROXY --on-port ) is sending all connections to the proxy.
> Is this true that I don't need to set any IP table entry, if I am interested
> only in connections on specific port? In our experiment with TPROXY, one
> thing that we discovered was that if we are interested only in connections
> on a specific port, we don't need to set any IP table entry at all. By using
> setsockopt IP_TPROXY_ASSIGN and IP_TPROXY_FLAGS we could intercept the
> packet and listen on foreign address and source a foreign address.   For
> PASV FTP, I can bind the port for listen that was sent to the client. I am
> not sure when will I need to add IP table entry.

You don't need a tproxy table entry if your application specifically asks
for a given foreign address/port.

> Second question was when I want to create a connection with foreign address
> as source address, I need to bind to the local address with a local port.
> Doing so creates a port management  problem? I noticed in your Zorp code in
> tpsocket file, the autobind function sends zero port. I am assuming, in this
> case Kernel picks the port. Is this valid usage? Or do I need to manage the
> ports?

Yes, port 0 means to allocate a port automatically. It does not matter which
port you are using on your local interface, the only requirement that it
must be bound to a fully specified address/port. (e.g. it cannot be

> Third, I did not see any proxy using the API defined in tpsocket. Do you
> have any example of a full proxy that is using TPROXY?

There were a couple of examples in the tarball, but I am afraid they are
quite outdated. You can check out the sources for Zorp however.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1