[tproxy] Fwd: Tproxy changes for performing dual NAT
Tóth László Attila
panther at elte.hu
Tue Oct 30 10:54:32 CET 2007
On 2007.10.30., at 10:29, Arun S wrote:
> That is fine. Since IP_TRANSPARENT lets the program to bind to any IP
> address, the application can be made to use any IP address as the
> But let us assume the following scenario:
> there are two outgoing WAN interfaces: eth0 and eth1.
> 1. Outgoing Traffic from eth0 should not be SNAT-ted.
> 2. Outgoing traffic from eth1 should be SNAT-ted.
> All WWW traffic gets marked, hits TPROXY redirect rule, and goes to
> TPROXY server.
> Case 1 is fine for TPROXY traffic and other traffic.
> But in Case 2, when SNAT happens, three-way handshake between TPROXY
> server and Web server is not successful. This issue is only with the
> Web traffic that is originated from TPROXY server (i.e., the server
> with IP_TRANSPARENT option set).
> 1. TPROXY server sends SYN packet with foreign source IP to WWW server
> 2. WWW server sends SYN-ACK to TPROXY server.
> 3. TPROXY server is not sending ACK to WWW server that leads to a
> half-open connection.
Ah, I see. I had the same problem when I used the other version of
In the other version I missed to check a condition (which is not
important now), also the incoming tproxied packets didn't arrive to
the socket that is specified by the TPROXY target. In this case the
problem is similar to this one. The routing decision happens
somewhere near the PREROUTING hook (I'd say at the end of the chain
which may be modified by rules in this chain). First the mangle table
is checked then the nat table, in both of them the PREROUTING chains,
then the packet can go to the FORWARD or the INPUT chain if it is not
dropped previously, depending on the routing decision. The latter one
fails somehow. This is not a real problem in this case because it can
be made in an other way.
The "workaround" may be this one:
- spoof.sin_addr.s_addr = client.sin_addr.s_addr;
+ spoof.sin_addr.s_addr = inet_addr ("188.8.131.52");
Hm, did you set the INPUT policy to ACCEPT the incoming connections?
I ask it beacuse you didn't send the output of iptables -L.
For instance the following is enough:
iptables -P INPUT DROP
iptables -A INPUT -m mark --fwmark 1 -j ACCEPT
More information about the tproxy