[tproxy] Patching iptables
n3nguyen at gmail.com
Fri Apr 7 20:03:35 CEST 2006
I've figured out my problem: I need to load the iptable_nat module. Thanks
for your help.
Jan, regarding the tcp_outgoing_address in Squid:
I'm guessing you need it because Squid, by default, binds sockets to 0.0.0.0.
This means that when you try to do a TPROXY_ASSIGN, it will fail
(specifically, setsockopt() will with errno = EINVAL). Maybe you're
referring to something else entirely, in which case you should just
disregard my comment.
On 4/7/06, KOVACS Krisztian <hidden at balabit.hu> wrote:
> On Friday 07 April 2006 10.40, Jan Engelhardt wrote:
> > >It turns out that the port isn't being faked either.
> > >
> > >I'm only able to connect if I set the foreign IP address equal to the
> > > local IP address and the foreign port equal to the local port.
> > >
> > >A tcpdump at the client shows that the IP headers aren't being
> > >It's as if tproxy is creating entries in the hash table (TPROXY_ASSIGN
> > > and the subsequent call to setsockopt() is successful), but isn't
> > > overwriting the approriate fields in the IP headers.
> > >
> > >Any thoughts?
> > Nguyen, If you bind() explicitly to 188.8.131.52, does it work then? Just a
> > guess...
> > Krisztian, any thoughts? Seems to be the reason why I need
> > 'tcp_outgoing_address' in Squid...
> Take a look at your kernel log, maybe you can find some tproxy-related
> messages there (lines containing IP_TPROXY).
> In case you can't find anything in the logs I'd suggest enabling debug
> output. (Replace '#if 0' with '#if 1' before the '#define DEBUGP printk'
> line in net/ipv4/netfilter/iptable_tproxy.c) This will spit out a lot of
> debug messages which may be helpful in diagnosing the problem.
> Krisztian Kovacs
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tproxy