[tproxy] tproxy LISTEN proxy does not work.

Yoshioka Tsuneo tsuneo.yoshioka at f-secure.com
Tue Jan 16 02:55:42 CET 2007


Hello KOVACS Krisztian-san

Thank you for your kindly help !

Adding iptables rule seems solve this issue.
And, while thinking about this issue, I have question about the
difference between "iptables rule" and tproxy.

To keep src/dst address on proxy, does both of following methods cause
the same result ?
 1. Adding iptable DNAT/SNAT rule for the session used on the socket.
    (by using setsockopt with SO_SET_REPLACE/SO_SET_ADD_COUNTERS?)
 2. Calling tproxy interface for the socket.
    (by using socksockopt with TPROXY_ASSIGN/TPROXY_FLAGS)

"1." does not requires kernel patch, but is there some issue ?
(Ex: performance, or others ?)

I would appreciate it if I can get some information.

Thank you !

-- 
(Nihon F-Secure Corporation)
Yoshioka Tsuneo
E-MAIL: Tsuneo.Yoshioka at f-secure.com

> 
>   Hi,
> 
> On Friday 12 January 2007 06:10, Yoshioka Tsuneo wrote:
> > When I tried to listen proxy using tproxy like following, it does not
> > work to be intented.
> >   Structure: Client <===> Proxy <===> Server
> >
> >   1. On Proxy, listen on the port 9999.
> >   2. On Proxy, assign Server:2000 using TPROXY_ASSIGN, and set
> >      ITP_LISTEN flag.
> >   3. Client connect to Server:2000.
> >   4. Proxy steal connection using tproxy.(using ITP_LISTEN)
> >   5. Proxy connect to Server:2000.
> >
> > On "4.", Proxy should connect server:2000 on "4.". But, actually, proxy
> > connect to Proxy:9999.
> 
>   This is probably because TProxy cannot differentiate between incoming 
> and outgoing traffic, and when you try to connect to server:2000 that 
> connection also gets stolen.
> 
>   Try something like this instead:
> 
> 1. Proxy listens on port 9999
> 2. Instead of assigning server:2000 on the listener, add an iptables rule:
>    iptables -t tproxy -A PREROUTING -s client_net/mask -d server \
>       -p tcp --dport 2000 -j TPROXY --on-port 9999
> 
>   The difference here is that this rule does not apply to locally 
> generated traffic, therefore your connection from the proxy to the server 
> won't get caught. The rest of the process should be OK.
> 
> -- 
>  Regards,
>   Krisztian Kovacs
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy





More information about the tproxy mailing list