[tproxy] tproxy LISTEN proxy does not work.
KOVACS Krisztian
hidden at balabit.hu
Mon Jan 15 14:11:50 CET 2007
Hi,
On Friday 12 January 2007 06:10, Yoshioka Tsuneo wrote:
> When I tried to listen proxy using tproxy like following, it does not
> work to be intented.
> Structure: Client <===> Proxy <===> Server
>
> 1. On Proxy, listen on the port 9999.
> 2. On Proxy, assign Server:2000 using TPROXY_ASSIGN, and set
> ITP_LISTEN flag.
> 3. Client connect to Server:2000.
> 4. Proxy steal connection using tproxy.(using ITP_LISTEN)
> 5. Proxy connect to Server:2000.
>
> On "4.", Proxy should connect server:2000 on "4.". But, actually, proxy
> connect to Proxy:9999.
This is probably because TProxy cannot differentiate between incoming
and outgoing traffic, and when you try to connect to server:2000 that
connection also gets stolen.
Try something like this instead:
1. Proxy listens on port 9999
2. Instead of assigning server:2000 on the listener, add an iptables rule:
iptables -t tproxy -A PREROUTING -s client_net/mask -d server \
-p tcp --dport 2000 -j TPROXY --on-port 9999
The difference here is that this rule does not apply to locally
generated traffic, therefore your connection from the proxy to the server
won't get caught. The rest of the process should be OK.
--
Regards,
Krisztian Kovacs
More information about the tproxy
mailing list