[tproxy] Patching iptables

[Nguyen Nguyen]

I've figured out my problem: I need to load the iptable_nat module.  Thanks
for your help.

Jan, regarding the tcp_outgoing_address in Squid:
I'm guessing you need it because Squid, by default, binds sockets to 0.0.0.0.
This means that when you try to do a TPROXY_ASSIGN, it will fail
(specifically, setsockopt() will with errno = EINVAL).  Maybe you're
referring to something else entirely, in which case you should just
disregard my comment.

N

On 4/7/06, KOVACS Krisztian <hidden at balabit.hu> wrote:
>
>
>   Hi,
>
> On Friday 07 April 2006 10.40, Jan Engelhardt wrote:
> > >It turns out that the port isn't being faked either.
> > >
> > >I'm only able to connect if I set the foreign IP address equal to the
> > > local IP address and the foreign port equal to the local port.
> > >
> > >A tcpdump at the client shows that the IP headers aren't being
> modified.
> > >It's as if tproxy is creating entries in the hash table (TPROXY_ASSIGN
> > > and the subsequent call to setsockopt() is successful), but isn't
> > > overwriting the approriate fields in the IP headers.
> > >
> > >Any thoughts?
> >
> > Nguyen, If you bind() explicitly to 1.2.3.4, does it work then? Just a
> > guess...
> >
> > Krisztian, any thoughts? Seems to be the reason why I need
> > 'tcp_outgoing_address' in Squid...
>
>   Take a look at your kernel log, maybe you can find some tproxy-related
> messages there (lines containing IP_TPROXY).
>
>   In case you can't find anything in the logs I'd suggest enabling debug
> output. (Replace '#if 0' with '#if 1' before the '#define DEBUGP printk'
> line in net/ipv4/netfilter/iptable_tproxy.c) This will spit out a lot of
> debug messages which may be helpful in diagnosing the problem.
>
> --
> Regards,
>   Krisztian Kovacs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20060407/ef4f3853/attachment.htm