[tproxy] UDP transparent proxying
Mon, 27 Oct 2003 12:20:39 +0100
Thanks for the reply.
I can provide you the code but it is really mostly a line by line copy
of the foreign-udp-connect.c code.
My understanding is that for a reason that I can't understand, NAT is
To give you more informations, my test box has 2 ethernet interfaces and
I want to use eth1 for transparents proxying. The IP address on this
interface is 192.168.3.1, the eth0 interface address is 172.20.3.15
I first create a socket to listen on incoming requests normally targeted
to 192.168.2.1, which are sent to my TP host using a linux router. This
part is working fine and I'm able to receive all packets.
The IP address for the outgoing packets is set to the source address of
the incoming packet I just received on the listening socket.
I create a local socket, bind it to a random local port, use the
IP_TPROXY_ASSIGN socket option to assign the IP address and source port,
the latter being different from the one in the original packet as I want
all responses from the originally targeted server to arrive on a single
I then call the IP_TPROXY_FLAGS socket option using the ITP_CONNECT flag.
Finally, I connect this socket with the original remote machine (same
IP and same port as in the incoming packet).
Doing a tcpdump on the router machine shows that outgoing packets have a
source address set to 172.20.3.15 and a random port and the remote
address is also set to 172.20.3.15 and a random port.
I tried changing the code that creates my local socket and I found that
if I explicitely ask for this socket to be bound to the eth1 IP address,
i.e. 192.168.3.1, then outgoing packets have their source address set to
this one, and I was also able to set the source port using the same trick.
However I never managed to have the destination address and port set
I this can help, I also tried sending packets using libnet, but I get
the exact same behaviour.
As a final note, I now have a working solution using an iptable rule in
the tproxy table, and the redirect-udp-recv.c code, however my first
idea was to have a code which was not relying on any iptables rules as I
was only transparently proxying a single machine.
Thanks for your help.
KOVACS Krisztian wrote:
> Jean-pierre Cartal wrote:
>> I'm trying to write a transparent UDP proxy using TProxy, what I
>> would like to do is to intercept traffic going to a given machine,
>> and only one, and then resend it with the original source IP
>> address, but with a different port number.
>> I'm able to bind to a local socket, and receive traffic originally
>> destinated to the given machine using the ITP_LISTEN flag. My first
>> question is should I also use the ITP_UNIDIR option on this socket ?
> Yes, you should, but currently it really does not matter. (For UDP,
> at least.)
>> My problem is when I try to forward the received packet to the
>> originally targeted machine, source and destination addresses are not
>> the one given through the IP_TPROXY_ASSIGN socket option and the
>> connect system call. I took the code from the foreign-udp-connect.c
>> sample given with the patch, but it does not behave correctly within
>> my code whereas it is working fine when tested by itself.
>> Do you have any clue on what I'm doing wrong here ?
> Could you perhaps provide some sample code? What is the source
> address of the outgoing traffic? (It would be important to know if no
> NAT mapping happens at all, or it's some other problem.)