[tproxy] TProxy version 4.0.0 released
Laszlo Attila Toth
panther at balabit.hu
Thu Aug 2 13:25:39 CEST 2007
On Thursday 02 August 2007 00.03.35 Cameron Schaus wrote:
> On Tue, Jul 31, 2007 at 12:31:35PM +0200, Laszlo Attila Toth wrote:
> > TProxy version 4.0.0 has been released for Linux 2.6.17 (Ubuntu
> > 2.6.17.1-12.39) and 2.6.23-rc1
>
> I downloaded the TProxy version 4.0.0 tarball for 2.6.17, patched and
> built myself a kernel. I am now trying to get a test
> foreign-tcp-connect program working to test my kernel. But, I must be
> missing something, because my test program is not working.
>
> Here is what I've done:
>
> - loaded the tproxy modules on the client test machine
> # modprobe xt_proxy
> # modprobe iptable_tproxy tproxy_any=1
>
> - added a static arp entry for the foreign address on my web server
> pointing to the client test machine
>
> - execute my c program on the client machine,
> which essentially does the following
> (I can post the code if it is helpful)
>
> sock = socket(AF_INET, SOCK_STREAM, 0);
> setsockopt(sock, SOL_IP, IP_FREEBIND, &socktop, sizeof(sockopt));
> /* local bind */
> bind( sock, FOREIGN_IP, FOREIGN_PORT );
> connect( sock, REMOTE_IP, REMOTE_PORT );
>
> The connect hangs while the client machine (running the foreign
> connect program) sends out ARP packets asking who-has the foriegn
> address.
>
> What am I missing in the above steps to get my foreign-connect program
> working?
Hello,
For binding to foreign address you should echo 1
into /proc/sys/net/ipv4/ip_nonlocal_bind file, this may help.
By the way if you set the IP_FREEBIND you don't need to use tproxy_any=1
module parameter. In the tproxy table it is tested whether either IP_FREEBIND
or tproxy_any is set or not.
Hm, it seems I should write these into the README file which is still a bit
outdated.
>
> Lastly, I noticed the set of diffs published does not include the
> IP_TRANSPARENT socket option. Has this setsockopt been dropped?
Yes, it is dropped. It is unnecessary since IP_FREEBIND is enough for
transparent proxying.
>
> Thanks,
> Cam
--
Regards,
Laszlo Attila Toth
More information about the tproxy
mailing list