[tproxy] tproxy4, kernel 2.6.22 and squid-2.6.stable13
Ming-Ching Tiew
mingching.tiew at redtone.com
Thu Dec 6 11:23:50 CET 2007
From: "Laszlo Attila Toth" <panther at balabit.hu>
>
> In 4.0.3 the fwmark is not used by tproxy, another value is used for it:
> sk_buff.tproxy
>
> With the tproxy match it should work, currently I don't see what can be
> the problem. The policy/fwmark usage is propably independent from it.
>
You are right, it might not be 'tproxy' at all. Because when squid makes a
outbound connection, the modified squid will use IP_FREEBIND
to spoof an outgoing IP. There is no tproxy redirect involved at all. It's
purely an outbound connection binded to a foreign IP using IP_FREEBIND.
I have a little program which I used to simulate this behaviour (
which I also used it to verify the SNAT problem as well ).
To invoke the program :-
# ./spoof 192.168.1.5 72.14.235.99
where 192.168.1.5 is the IP I want to spoof, and 72.14.235.99 is the IP
where I have web services available to verify the return path. I have
used www.google.com in this example.
If I flush the mangle OUTPUT chain, I could spoof the IP and get a reply
from
google. If I have something which MARKs the outgoing packet, the program
'spoof' will hang. The (arbitrary ) iptables command I used :-
iptables -t mangle -A OUTPUT -j MARK --set-mark 5
But it can be any other MARKs as well.
Regards.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spoof.c
Type: application/octet-stream
Size: 1853 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20071206/ed894d8a/attachment.obj
More information about the tproxy
mailing list