[tproxy] tproxy4, kernel 2.6.22 and squid-2.6.stable13

Ming-Ching Tiew mingching.tiew at redtone.com
Wed Dec 12 02:20:41 CET 2007

From: "Daniel" <tooldcas at 163.com>

> I'm kinda confused...
> Which version exactly are you discussing?
> In balabit site[1], tproxy needs iptable_tproxy and hacks route code, but
in KOVACS Krisztian's webpage[2],
> the tproxy patch use policy route to make non-local sockets work without
both NAT and iptable_tproxy.

It's not that confusing if you have attempted to use them. All my post,
there is
mentioned of IP_FREEBIND and that will mean this patch :-

> [1]http://www.balabit.com/downloads/files/tproxy/

The other ones on here :-

> [2]http://people.netfilter.org/hidden/tproxy/

I could not find a suitable matching iptables counterpart and the kernel
versions are too new for me to use.

> PS: I hope to see a tproxy-4.0.4 patchset before tproxy being merged into
kernel 2.6.25. ;)
> Regards

But before that perhaps you could at least try to use version 4.0.3 and see
if you could repeat my problem ? I don't want the case where I am giving
the wrong feedback. Strange enough none is noticing this. And I think the
developers are skeptical about my feedback too ! :-)

And I don't want it's the case of me making a systematic error in my
testings and therefore making wrong conclusion !

To repeat this is what I suggest :-

1. compile a kernel 2.6.22 with the patch on the balabit website.
2. compile iptables 1.3.8 using the iptables patch on the balabit website.
3. configure the system with a default route without SNAT so that
   it can access internet. No policy routing needed.
4. download this small program which I posted earlier :-


   And compile it as 'spoof'.

5. No need to set up bridge, ebtables or even tproxy targets (but you
    could set it up too it does not matter ). The objective to the test is
    check if packets could get out of the box, so we are not worried about
    return path. Use 'tcpdump' to check the outgoing.

6. Invoked the program this way :-

        # ./spoof

    Where could be a local IP or a foreign IP and
        is any website's IP address.

    Without MARK in mangle OUTPUT chain, whether it's local IP or foreign
    IP, packets could get out of the box ( check it using tcpdump ).

    With MARK, only local IP could have packets going out of the box.

    To mark outgoing packets, do this :-

            iptables -t mangle -A OUTPUT -j MARK --set-mark 5

Looking forward to your testing results.


More information about the tproxy mailing list