[tproxy] Patching iptables
hidden at balabit.hu
Fri Apr 7 13:16:22 CEST 2006
On Friday 07 April 2006 10.40, Jan Engelhardt wrote:
> >It turns out that the port isn't being faked either.
> >I'm only able to connect if I set the foreign IP address equal to the
> > local IP address and the foreign port equal to the local port.
> >A tcpdump at the client shows that the IP headers aren't being modified.
> >It's as if tproxy is creating entries in the hash table (TPROXY_ASSIGN
> > and the subsequent call to setsockopt() is successful), but isn't
> > overwriting the approriate fields in the IP headers.
> >Any thoughts?
> Nguyen, If you bind() explicitly to 126.96.36.199, does it work then? Just a
> Krisztian, any thoughts? Seems to be the reason why I need
> 'tcp_outgoing_address' in Squid...
Take a look at your kernel log, maybe you can find some tproxy-related
messages there (lines containing IP_TPROXY).
In case you can't find anything in the logs I'd suggest enabling debug
output. (Replace '#if 0' with '#if 1' before the '#define DEBUGP printk'
line in net/ipv4/netfilter/iptable_tproxy.c) This will spit out a lot of
debug messages which may be helpful in diagnosing the problem.
More information about the tproxy