[tproxy] Patching iptables

KOVACS Krisztian hidden at balabit.hu
Fri Apr 7 13:16:22 CEST 2006


On Friday 07 April 2006 10.40, Jan Engelhardt wrote:
> >It turns out that the port isn't being faked either.
> >
> >I'm only able to connect if I set the foreign IP address equal to the
> > local IP address and the foreign port equal to the local port.
> >
> >A tcpdump at the client shows that the IP headers aren't being modified.
> >It's as if tproxy is creating entries in the hash table (TPROXY_ASSIGN
> > and the subsequent call to setsockopt() is successful), but isn't
> > overwriting the approriate fields in the IP headers.
> >
> >Any thoughts?
> Nguyen, If you bind() explicitly to, does it work then? Just a
> guess...
> Krisztian, any thoughts? Seems to be the reason why I need
> 'tcp_outgoing_address' in Squid...

  Take a look at your kernel log, maybe you can find some tproxy-related 
messages there (lines containing IP_TPROXY).

  In case you can't find anything in the logs I'd suggest enabling debug 
output. (Replace '#if 0' with '#if 1' before the '#define DEBUGP printk' 
line in net/ipv4/netfilter/iptable_tproxy.c) This will spit out a lot of 
debug messages which may be helpful in diagnosing the problem.

  Krisztian Kovacs

More information about the tproxy mailing list