Balazs Scheidler bazsi@balabit.hu
Thu, 8 May 2003 17:21:00 +0200

On Mon, May 05, 2003 at 09:20:51AM -0700, Dileep Kumar wrote:
> Bazsi,
> Let's say, I want to use TRPOXY to build a proxy that will protect all the
> clients accessing the Internet, assume INTERNET_GROUP is a set of subnets
> representing Internet.
> The following entry will intercept all the connections going to Internet
> iptables -t tproxy -A PREROUTING  -dest INTERNET_GROUP -j TPROXY --on-port
> 80
> 1) Is there any way I can only intercept HTTP connnections?

yes, match the destination port as well, e.g.

iptables -t tproxy -A PREROUTING -d INTERNET_GROUP --dport 80 -j TPROXY --on-port 80

we are usually using separate port number for proxy listeners.

> 2) Once I intercept a connection, how do I retrieve the foreign address? Is
> there any TRPOXY option to retrieve the foreign address/port?

yes, the same as you would do with REDIRECT, SO_GETORIGDST, you can find
many examples on the net.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1