[tproxy] Fwd: Tproxy changes for performing dual NAT

Arun S hi2arun at gmail.com
Tue Oct 30 08:13:04 CET 2007 

Hi Attila,

I have a problem with tproxy4 that I downloaded from the given links.

Setup:

LAN1: eth0: 20.20.20.4/24

TPROXYGw: eth1: 20.20.20.1/24 eth0: 30.0.1.1/24

WWW: eth0: 30.0.1.3/24

LAN1 <-----------> TPROXYGw <--------------> WWW

TPROXYGw runs a sample proxy server (with IP_TRANSPARENT socket option
enabled)  that listens on TCP port 8080.

Scenario 1:
Testing normal TPROXY functionality:

The following ip and iptable rules are added:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 8080

Output:

[root at Arun-FC6-SQUID ~]# ./listIpt.sh

MANGLE
Chain PREROUTING (policy ACCEPT 27615 packets, 2707393 bytes)
    pkts      bytes target     prot opt in     out     source
     destination
    1129    98288 DIVERT     tcp  --  *      *       0.0.0.0/0
   0.0.0.0/0           socket
       0        0 TPROXY     tcp  --  *      *       0.0.0.0/0
   0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark
0x1/0x1
Chain DIVERT (1 references)
    pkts      bytes target     prot opt in     out     source
     destination
    1132    98460 MARK       all  --  *      *       0.0.0.0/0
   0.0.0.0/0           MARK set 0x1
    1132    98460 ACCEPT     all  --  *      *       0.0.0.0/0
   0.0.0.0/0

[root at Arun-FC6-SQUID ~]# ip rule show
0:      from all lookup local
32765:  from all fwmark 0x1 lookup 100
32766:  from all lookup main
32767:  from all lookup default

In this case, TPROXY stuff is working properly.

PS: A route to 30.0.1.1 on WWW was added for network 20.20.20.0/24
[root at Arun-FC6-WWW ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.30.11.96    0.0.0.0         255.255.255.224 U     0      0        0 eth0
20.20.20.0      30.0.1.1        255.255.255.0   UG    0      0        0 eth0
30.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         172.30.11.97    0.0.0.0         UG    0      0        0 eth0

Scenario 2:
Testing SNAT with TPROXY:

The following ip and iptable rules are added:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 8080

iptables -t nat -A POSTROUTING -o eth0 -s 20.20.20.4 -j SNAT --to 95.75.75.104

Output:

[root at Arun-FC6-SQUID ~]# ./listIpt.sh
POSTROUTING - NAT
Chain POSTROUTING (policy ACCEPT 1254 packets, 167219 bytes)
    pkts      bytes target     prot opt in     out     source
     destination
       0        0 SNAT       all  --  *      eth0    20.20.20.4
   0.0.0.0/0           to:95.75.75.104

MANGLE
Chain PREROUTING (policy ACCEPT 27667 packets, 2716681 bytes)
    pkts      bytes target     prot opt in     out     source
     destination
     252    21872 DIVERT     tcp  --  *      *       0.0.0.0/0
   0.0.0.0/0           socket
       0        0 TPROXY     tcp  --  *      *       0.0.0.0/0
   0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark
0x1/0x1
Chain DIVERT (1 references)
    pkts      bytes target     prot opt in     out     source
     destination
     254    21952 MARK       all  --  *      *       0.0.0.0/0
   0.0.0.0/0           MARK set 0x1
     254    21952 ACCEPT     all  --  *      *       0.0.0.0/0
   0.0.0.0/0

In this case, SNAT is happening properly. But ACK is not happening as
part of the three-way handshake. So the client hangs around till the
timeout happens.

Please find attached the sample-TPROXY server code with this.

Am I missing any commands or configuration?

TIA.

Regards,
Arun S.

On 26/10/2007, Laszlo Attila Toth <panther at balabit.hu> wrote:
> Arun S írta:
> > Oops!
> >
> > Shall I go ahead with linux-2.6.23.tar.bz2 and
> > tproxy4-2.6.23-200710090922.tar.bz2 ?
> >
>
> Yes... If you mean these two:
>
> http://people.netfilter.org/hidden/tproxy/iptables-tproxy-200710091749.diff
> http://people.netfilter.org/hidden/tproxy/tproxy4-2.6.23-200710090922.tar.bz2
>
> --
> Panther
>


-- 
Regards,
Arun S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcpServer.c
Type: application/octet-stream
Size: 3501 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20071030/349199ca/attachment.obj

More information about the tproxy mailing list