[tproxy] socket match can't work with DNAT rules
Dong Wei
dong_wei at cpsecure.com
Wed Dec 3 14:55:36 CET 2008
Hi, all
I use the latest tproxy kernel.But I find that, tproxy can't work
with DNAT mode.
network topology:
Web Server(192.168.1.10)----(192.168.1.1)TPROXY
Server(202.0.0.1)---(202.0.0.10)Client
For TPROXY Server
eth0 192.168.1.1
eth1 202.0.0.1
When Client visit TPROXY Server(202.0.0.1) 80 port, we will redirect
it to Web Server.
There is a DNAT rule for it.
iptables -t nat -i eth1 -d 202.0.0.1 -p tcp --dport 80 -j DNAT
--to-destination 192.168.1.10
tproxy APP listen on port 50080, and the TPROXY target also set
--on-port 50080 for HTTP.
Here is the problem:
1. Client send SYN to 202.0.0.1:80
2. TPROXY Server receive it, and TPROXY target will redirect this packet
to the socket which is listening on port 50080
3. TPROXY Server send SYN,ACK to the Client
4. Client receive SYN,ACK and send ACK
5. TPROXY Server receive ACK, TPROXY target will redirect this packet to the
socket listening on port 50080
6. With DNAT rule, the established socket is 202.0.0.10:port -> 192.168.1.10:80
7. Client send "GET " request to TPROXY Server
8. socket match find this packet doesn't match any socket. For its
sip, sport, dip,dport
is 202.0.0.10:port -> 202.0.0.1:80, while the established socket is
202.0.0.10:port -> 192.168.1.10:80
So in this case, match can't work correctly for DNAT rules. Anyone has
good ideas?
Thanks in advance!
--
Thanks
BR. Wei Dong
More information about the tproxy
mailing list