[tproxy] TPROXY / Zorp on READHAT 9

KOVACS Krisztian hidden@balabit.hu
Wed, 06 Oct 2004 11:00:35 +0200


2004-10-06, sze keltezéssel 03:35-kor TEJAS VORA ezt írta:
> Now we are running our gateway in full bridge mode and to push TCP
> traffice up in the stack - we want to use the proxy on the gateway
> machine - so that all interested traffice will be pushed up in the
> stack till TCP layer.
> For this reason, we want to try Zorp and TPROXY on out machine. For
> that reason right now I am trying Zorp GPL / TPROXY on our machine.
> We want to support
> - source IP NOT Changing (becuase of IP authentication)

  This is possible, of course.

> - We want to support more than 1000 sessions at a same time - so
> performance  is  a critical issue

  It depends on your traffic pattern a lot, but I think this is also
possible, although you probably have to use some tricks to help Zorp
scale up to your needs. Have a look at the Zorp mailing list archives,
there was a thread on scaling up Zorp-based systems:


> - While sending FTP data back to client - source port should remain 20
> (ftp-data)

  This is the default behaviour of the FTP proxy in Zorp.

> READHAT 9 - kernel 2.4.20-8 - clean and full installation
> I have downloaded the latest kernel pacth for TPROXY from your site.
> (I couldnt find one for 2.4.20-8) While I am trying to patch kernel
> source - some of the file are missing - like - ip_nat_amanda.c -
> whether it is okay? While trying to build modules - it is not working.

  This is because we do not usually release TProxy patches for kernels
other than the last few versions of the "official" Linux kernel
available from kernel.org. You will need a specially crafted version of
TProxy for your RedHat 9 kernel, with a few (minor) changes applied.

  Of course this is not a major obstackle, there _are_ people using
TProxy on RedHat kernels (with bridging as well).

> Also, I patch iptables source - and trying to work with it - it
> compile fine - but when I try to use -j TPROXY - it says -
> libipt_TPROXY.so module not found.

  Have you set the executable bit on the .tproxy-test script after
patching iptables?

> Now here I am really stranded and not able to do anything - I guess
> mainly becuase of version conflict - or some other reason.

  Yes, as stated above, you'd need a somewhat modified patch for RedHat
kernels, or you could use a "vanilla" kernel with the ebtables and
TProxy patches applied.

   Krisztian KOVACS