[tproxy] UDP transparent proxying

Jean-pierre Cartal jean-pierre.cartal@nextenso.com
Mon, 27 Oct 2003 12:20:39 +0100


Hi,

Thanks for the reply.
I can provide you the code but it is really mostly a line by line copy 
of the foreign-udp-connect.c code.
My understanding is that for a reason that I can't understand, NAT is 
taking place.

To give you more informations, my test box has 2 ethernet interfaces and 
I want to use eth1 for transparents proxying. The IP address on this 
interface is 192.168.3.1, the eth0 interface address is 172.20.3.15
I first create a socket to listen on incoming requests normally targeted 
to 192.168.2.1, which are sent to my TP host using a linux router. This 
part is working fine and I'm able to receive all packets.
The IP address for the outgoing packets is set to the source address of 
the incoming packet I just received on the listening socket.
I create a local socket, bind it to a random local port,  use the 
IP_TPROXY_ASSIGN socket option to assign the IP address and source port, 
the latter being different from the one in the original packet as I want 
all responses from the originally targeted server to arrive on a single 
port.
I then call the IP_TPROXY_FLAGS socket option using the ITP_CONNECT flag.
Finally,  I connect this socket with the original remote machine (same 
IP and same port as in the incoming packet).

Doing a tcpdump on the router machine shows that outgoing packets have a 
source address set to 172.20.3.15 and a random port and the remote 
address is also set to 172.20.3.15 and a random port.
I tried changing the code that creates my local socket and I found that 
if I explicitely ask for this socket to be bound to the eth1 IP address, 
i.e. 192.168.3.1, then outgoing packets have their source address set to 
this one, and I was also able to set the source port using the same trick.
However I never managed to have the destination address and port set 
correctly.

I this can help, I also tried sending packets using libnet, but I get 
the exact same behaviour.

As a final note, I now have a working solution using an iptable rule in 
the tproxy table, and the redirect-udp-recv.c code, however my first 
idea was to have a code which was not relying on any iptables rules as I 
was only transparently proxying a single machine.

Thanks for your help.
KOVACS Krisztian wrote:

>
>   Hi,
>
> Jean-pierre Cartal wrote:
>
>> I'm trying to write a transparent UDP proxy using TProxy, what I 
>> would like to do is to intercept traffic going to  a given machine, 
>> and only  one, and then resend it with the original source IP 
>> address, but with a different port number.
>>
>> I'm able to bind to a local socket, and receive traffic originally 
>> destinated to the given machine using the ITP_LISTEN flag. My first 
>> question is should I also use the ITP_UNIDIR option on this socket ?
>
>
>   Yes, you should, but currently it really does not matter. (For UDP, 
> at least.)
>
>> My problem is when I try to forward the received packet to the 
>> originally targeted machine, source and destination addresses are not 
>> the one given through the IP_TPROXY_ASSIGN socket option and the 
>> connect system call.  I took the code from the foreign-udp-connect.c 
>> sample given with the patch, but it does not behave correctly within 
>> my code whereas it is working fine when tested by itself.
>>
>> Do you have any clue on what I'm doing wrong here ?
>
>
>   Could you perhaps provide some sample code? What is the source 
> address of the outgoing traffic? (It would be important to know if no 
> NAT mapping happens at all, or it's some other problem.)
>