[tproxy] cttproxy-2.4.25-1.9.3 + nat_delete

Andrew Ivins aivins@swiftel.com.au
Tue, 27 Apr 2004 16:26:39 +0800

Thanks Krisztian, you were spot on :)

The test program can now connect repeatedly without problems. Thanks =
also for updating your patch, although I'll hold off on using nat_delete =
as you suggest.


-----Original Message-----
From: KOVACS Krisztian [mailto:hidden@balabit.hu]=20
Sent: Tuesday, 27 April 2004 4:01 PM
To: Andrew Ivins
Cc: TProxy mailing list
Subject: Re: [tproxy] cttproxy-2.4.25-1.9.3 + nat_delete


On Tue, 2004-04-27 at 09:22, Andrew Ivins wrote:
> I have experimented with binding to a foreign source address using=20
> cttproxy-2.4.25-1.9.3 and the foreign-tcp-connect program. However I=20
> skipped the nat_delete part of the patch as I was not able to apply=20
> it. Foreign-tcp-connect actually works perfectly with the peer seeing=20
> the spoofed address. However after working, it will consistently fail=20
> for several minutes. Then it will work once and the cycle will repeat. =

> I'm guessing this has something to do with the nat_delete patch I=20
> skipped.

  Actually, 04-nat_delete is not mandatory at all (although could help =
in your case). The root of your problems is probably that you set the =
foreign address and port number to the same constant value all the time, =
and connect to the same server. In this case, when the first TCP session =
is closed, you'll have to wait two minutes for the conntrack entry to =
time out.

  Instead of using 04-nat_delete to be able to delete leftover conntrack =
entries of TCP connections currently in TIME_WAIT state, I'd recommend =
not to use constant values when using tproxy for connecting. If you =
specify 0 for the foreign port, an unused port number will be =
automatically allocated by Netfilter, and you won't get NAT clashes. The
04-* patch is needed in such cases when this is not an option, which is =
very rare.

> > The nat_delete patch has been adapted to the new TCP window-tracking =

> > patch by Jozsef Kadlecsik, so this patch needs the current=20
> > tcp-window-tracking module from the Netfilter Patch-o-matic NG
> applied.
> > If you don't want do do that, 04-nat_delete.patch can be skipped
> safely.
> I tried this. The tcp-window-tracking patch seemed to apply to the=20
> vanilla 2.4.25 kernel successfully. However the 04-nat_delete.patch=20
> still fails to apply (included below)
> Any chance of a list of the which patches need to be applied to make=20
> cttproxy-2.4.25-1.9.3 apply cleanly including 4-nat_delete.patch?

  You're right. Although I wouldn't recommend using that patch, I've =
created a fixed archive which contains the new 04-nat_delete.diff and =
replaced the old .tar.gz. The MD5 checksum of the new file is

64eb5a4e72f11fa98d7794ed0bb8ee2a  cttproxy-2.4.25-1.9.3.tar.gz

   Krisztian KOVACS