[tproxy] Fwd: Tproxy changes for performing dual NAT

Tóth László Attila panther at elte.hu
Tue Oct 30 10:54:32 CET 2007


On 2007.10.30., at 10:29, Arun S wrote:

> That is fine. Since IP_TRANSPARENT lets the program to bind to any IP
> address, the application can be made to use any IP address as the
> source.
> But let us assume the following scenario:
> there are two outgoing WAN interfaces: eth0 and eth1.
> 1. Outgoing Traffic from eth0 should not be SNAT-ted.
> 2. Outgoing traffic from eth1 should be SNAT-ted.
> All WWW traffic gets marked, hits TPROXY redirect rule, and goes to
> TPROXY server.
> Case 1 is fine for TPROXY traffic and other traffic.
> But in Case 2, when SNAT happens, three-way handshake between TPROXY
> server and Web server is not successful. This issue is only with the
> Web traffic that is originated from TPROXY server (i.e., the server
> with IP_TRANSPARENT option set).
> Observation:
> 1. TPROXY server sends SYN packet with foreign source IP to WWW server
> 2. WWW server sends SYN-ACK to TPROXY server.
> 3. TPROXY server is not sending ACK to WWW server that leads to a
> half-open connection.

Ah, I see. I had the same problem when I used the other version of  

In the other version I missed to check a condition (which is not  
important now),  also the incoming tproxied packets didn't arrive to  
the socket that is specified by the TPROXY target. In this case the  
problem is similar to this one. The routing decision happens  
somewhere near the PREROUTING hook (I'd say at the end of the chain  
which may be modified by rules in this chain). First the mangle table  
is checked then the nat table, in both of them the PREROUTING chains,  
then the packet can go to the FORWARD or the INPUT chain if it is not  
dropped previously, depending on the routing decision. The latter one  
fails somehow. This is not a real problem in this case because it can  
be made in an other way.

The "workaround" may be this one:

-   spoof.sin_addr.s_addr = client.sin_addr.s_addr;
+  spoof.sin_addr.s_addr = inet_addr ("");

Hm, did you set the INPUT policy to ACCEPT  the incoming connections?  
I ask it beacuse  you didn't send the output of iptables -L.

For instance the following is enough:
(iptables -F)
iptables -P INPUT DROP
iptables -A INPUT -m mark --fwmark 1 -j ACCEPT

More information about the tproxy mailing list