[tproxy] Fwd: Tproxy changes for performing dual NAT

Tóth László Attila panther at elte.hu
Tue Oct 30 09:27:55 CET 2007


Hello,

On 2007.10.30., at 8:13, Arun S wrote:

> Hi Attila,
>
> I have a problem with tproxy4 that I downloaded from the given links.
>
>


>
> Scenario 2:
> Testing SNAT with TPROXY:
>
> The following ip and iptable rules are added:
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 8080
>
> iptables -t nat -A POSTROUTING -o eth0 -s 20.20.20.4 -j SNAT --to  
> 95.75.75.104
>
> Output:
>
> [root at Arun-FC6-SQUID ~]# ./listIpt.sh
> POSTROUTING - NAT
> Chain POSTROUTING (policy ACCEPT 1254 packets, 167219 bytes)
>     pkts      bytes target     prot opt in     out     source
>      destination
>        0        0 SNAT       all  --  *      eth0    20.20.20.4
>    0.0.0.0/0           to:95.75.75.104
>
> MANGLE
> Chain PREROUTING (policy ACCEPT 27667 packets, 2716681 bytes)
>     pkts      bytes target     prot opt in     out     source
>      destination
>      252    21872 DIVERT     tcp  --  *      *       0.0.0.0/0
>    0.0.0.0/0           socket
>        0        0 TPROXY     tcp  --  *      *       0.0.0.0/0
>    0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark
> 0x1/0x1
> Chain DIVERT (1 references)
>     pkts      bytes target     prot opt in     out     source
>      destination
>      254    21952 MARK       all  --  *      *       0.0.0.0/0
>    0.0.0.0/0           MARK set 0x1
>      254    21952 ACCEPT     all  --  *      *       0.0.0.0/0
>    0.0.0.0/0
>
> In this case, SNAT is happening properly. But ACK is not happening as
> part of the three-way handshake. So the client hangs around till the
> timeout happens.
>
>

You didn't write what kind of TCP traffic doesn't work. If it comes  
from the LAN1 network and the destination port is 80, it will go to  
the TPROXY target to squid. All other traffic coming from the LAN1 is  
independent from the tproxy patches, also it should work.

If the actual snat-ted traffic's local endpoint is the squid, it can  
bind to that IP address (to any IP if the TRANSPARENT sockopt is set).


> Please find attached the sample-TPROXY server code with this.

That seems ok and it works in the first scenario. This is what I  
tested with netcat patched to use IP_TRANSPARENT socket option. But I  
didn't use SNAT because IP_TRANSPARENT lets the program bind to any  
IP address when it connects to any other server (this would be  the  
server-side connection of the squid if the binding to foreign address  
is necessary).

--
Attila





More information about the tproxy mailing list