[tproxy] Getting Started

Tim Burress hokousha2001@yahoo.com
Thu, 23 Oct 2003 00:51:39 -0700 (PDT)


I'm just getting started with tproxy on our local
firewall machine, and am running into a couple of
problems. The 1.1.2 patches seem to install just fine,
and after explicitly loading iptable_proxy,
ipt_tproxy, and ipt_TPROXY, I am able to set up rough
transparent proxies using the setsockopt() API.

The first problem is that the extensions to the
iptables command itself do not seem to be recognized:

[router] iptables # iptables -t tproxy -A PREROUTING
-j TPROXY --on-port 10110
iptables v1.2.9rc1: Unknown arg `--on-port'
Try `iptables -h' or 'iptables --help' for more

Is there some other module that I have to load in
order for iptables to recognize the tproxy options?

The second problem is that the firewall currently uses
a MASQUERADE rule that rewrites address from hosts on
the local network (private addresses) to the global
address of the outgoing interface. This works fine
with non-transparent proxies, but when I set one up in
transparent mode (using the setsockopt() calls) the
outgoing packets from the local network are not
masqueraded. As a result, the server is seeing packets
with private source addresses, which of course it
cannot reply to. Is there a way around this? Obviously
the benefits of transparent proxying are lost if you
do masquerading, for all traffic, but in our case it
only applies to certain interfaces, while the other
networks have routable addresses. It seems as though,
in this case, the masquerade rules might take

Thanks for any insight you can provide!


Do you Yahoo!?
The New Yahoo! Shopping - with improved product search