[tproxy] TPROXY + Cisco Firewall

Jojy Varghese jojygv at yahoo.com
Tue Aug 14 02:30:44 CEST 2007 

Hi 
    I thought some more info might be helpful for someone following this thread.  In my code, when I call "setsockopt" to set the TPROXY_ASSIGN and TPROXY_FLAGS options, I get an error. Please see the code below. Any ideas why this might be? Also, if I set the local address port to 0 or the foreign address port to 0, how does that matter? IN other words, how important is the port assignment? 

thanks in advance
Jojy

##### Code Begins #########################
    struct in_tproxy itp;
    struct sockaddr_in sin;

    itp.op = TPROXY_VERSION;
    itp.v.version = 0x02000000;
    if(setsockopt(handle,SOL_IP,IP_TPROXY,&itp,sizeof(itp)) == -1 )
    {
        __log(LOG_ERROR, L"Error Setting version");
    }
   
    sin.sin_family=AF_INET;
    inet_aton("192.168.1.74", &sin.sin_addr);
    sin.sin_port=htons(9999);

    if(bind(handle, (struct sockaddr*)&sin, sizeof(sin)) == -1)
    {
        __log(LOG_ERROR, L"Error Binding");
    }

    itp.op = TPROXY_ASSIGN;
    inet_aton("192.168.1.75", (struct in_addr *)&itp.v.addr.faddr);
    itp.v.addr.fport=htons(2000);

    if(setsockopt(handle,SOL_IP,IP_TPROXY,&itp,sizeof(itp)) == -1 )
    {
        __log(LOG_ERROR, L"Error Setting Assign Option ");
    }
    itp.op = TPROXY_FLAGS;
    itp.v.flags = ITP_CONNECT;

    if(setsockopt(handle,SOL_IP,IP_TPROXY,&itp,sizeof(itp)) == -1 )
    {
        __log(LOG_ERROR, L"Error Setting Flags Option ");
    }

    // Code to connect follows

### Code ends ####




####
Message: 1
Date: Mon, 13 Aug 2007 10:13:15 +0200
From: Laszlo Attila Toth <panther at balabit.hu>
Subject: Re: [tproxy] TPROXY + Cisco Firewall
To: tproxy at lists.balabit.hu
Message-ID: <200708131013.16001.panther at balabit.hu>
Content-Type: text/plain;  charset="utf-8"

On Sunday 12 August 2007 00.28.07 Jojy Varghese wrote:
> Hi all
> 3.
> I have verified my changes by creating a REDIRECTION rule in the
 tproxy
> chain (can list my iptable changes by doing "iptables -t tproxy -L")

Hello,

For instance a client try to connect to a webserver somewhere on the Internet 
listening on port 80, and your proxy is listening on port 50080. The iptables 
rule that redirects packets to that port is the following:

    iptables -t tproxy -p tcp --dport 80 -j TPROXY --on-port 50080

The next one is to allow incomming traffic on that port. Because the TPROXY 
target marks the packet, the following rule accepts these packets:

    iptables -t filter -A INPUT -m tproxy -j ACCEPT

A tutorial is available here:
    http://www.balabit.hu/network-security/zorp-gateway/gpl/tutorial/


-- 
Regards,
    Laszlo Attila
 Toth


------------------------------

_______________________________________________
tproxy mailing list
tproxy at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy


End of tproxy Digest, Vol 26, Issue 11
**************************************







      Shape Yahoo! in your own image.  
Join our Network Research Panel today!






      ____________________________________________________________________________________
Shape Yahoo! in your own image.  Join our Network Research Panel today!   http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20070813/44efeeb2/attachment.htm

More information about the tproxy mailing list