[tproxy] cttproxy-2.4.25-1.9.3 + nat_delete

KOVACS Krisztian hidden@balabit.hu
Tue, 27 Apr 2004 10:00:52 +0200


On Tue, 2004-04-27 at 09:22, Andrew Ivins wrote:
> I have experimented with binding to a foreign source address using
> cttproxy-2.4.25-1.9.3 and the foreign-tcp-connect program. However I
> skipped the nat_delete part of the patch as I was not able to apply
> it. Foreign-tcp-connect actually works perfectly with the peer seeing
> the spoofed address. However after working, it will consistently fail
> for several minutes. Then it will work once and the cycle will repeat.
> I'm guessing this has something to do with the nat_delete patch I
> skipped.

  Actually, 04-nat_delete is not mandatory at all (although could help
in your case). The root of your problems is probably that you set the
foreign address and port number to the same constant value all the time,
and connect to the same server. In this case, when the first TCP session
is closed, you'll have to wait two minutes for the conntrack entry to
time out.

  Instead of using 04-nat_delete to be able to delete leftover conntrack
entries of TCP connections currently in TIME_WAIT state, I'd recommend
not to use constant values when using tproxy for connecting. If you
specify 0 for the foreign port, an unused port number will be
automatically allocated by Netfilter, and you won't get NAT clashes. The
04-* patch is needed in such cases when this is not an option, which is
very rare.

> > The nat_delete patch has been adapted to the new TCP window-tracking
> > patch by Jozsef Kadlecsik, so this patch needs the current
> > tcp-window-tracking module from the Netfilter Patch-o-matic NG
> applied.
> > If you don't want do do that, 04-nat_delete.patch can be skipped
> safely.
> I tried this. The tcp-window-tracking patch seemed to apply to the
> vanilla 2.4.25 kernel successfully. However the 04-nat_delete.patch
> still fails to apply (included below)
> Any chance of a list of the which patches need to be applied to make
> cttproxy-2.4.25-1.9.3 apply cleanly including 4-nat_delete.patch?

  You're right. Although I wouldn't recommend using that patch, I've
created a fixed archive which contains the new 04-nat_delete.diff and
replaced the old .tar.gz. The MD5 checksum of the new file is

64eb5a4e72f11fa98d7794ed0bb8ee2a  cttproxy-2.4.25-1.9.3.tar.gz

   Krisztian KOVACS