[tproxy] tproxy4, kernel 2.6.22 and squid-2.6.stable13

Ming-Ching Tiew mingching.tiew at redtone.com
Thu Dec 6 11:23:50 CET 2007

From: "Laszlo Attila Toth" <panther at balabit.hu>

> In 4.0.3 the fwmark is not used by tproxy, another value is used for it:
>   sk_buff.tproxy
> With the tproxy match it should work, currently I don't see what can be
> the problem. The policy/fwmark usage is propably independent from it.

You are right, it might not be 'tproxy' at all. Because when squid makes a
outbound connection, the modified squid will use IP_FREEBIND
to spoof an outgoing IP. There is no tproxy redirect involved at all. It's
purely an outbound connection binded to a foreign IP using IP_FREEBIND.

I have a little program which I used to simulate this behaviour (
which I also used it to verify the SNAT problem as well ).

To invoke the program :-

           # ./spoof

where is the IP I want to spoof, and is the IP
where I have web services available to verify the return path. I have
used www.google.com in this example.

If I flush the mangle OUTPUT chain, I could spoof the IP and get a reply
google. If I have something which MARKs the outgoing packet, the program
'spoof' will hang. The (arbitrary ) iptables command I used :-

        iptables -t mangle -A OUTPUT -j MARK --set-mark 5

But it can be any other MARKs as well.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: spoof.c
Type: application/octet-stream
Size: 1853 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20071206/ed894d8a/attachment.obj 

More information about the tproxy mailing list