[tproxy] socket match can't work with DNAT rules
dong_wei at cpsecure.com
Wed Dec 3 14:55:36 CET 2008
I use the latest tproxy kernel.But I find that, tproxy can't work
with DNAT mode.
For TPROXY Server
When Client visit TPROXY Server(184.108.40.206) 80 port, we will redirect
it to Web Server.
There is a DNAT rule for it.
iptables -t nat -i eth1 -d 220.127.116.11 -p tcp --dport 80 -j DNAT
tproxy APP listen on port 50080, and the TPROXY target also set
--on-port 50080 for HTTP.
Here is the problem:
1. Client send SYN to 18.104.22.168:80
2. TPROXY Server receive it, and TPROXY target will redirect this packet
to the socket which is listening on port 50080
3. TPROXY Server send SYN,ACK to the Client
4. Client receive SYN,ACK and send ACK
5. TPROXY Server receive ACK, TPROXY target will redirect this packet to the
socket listening on port 50080
6. With DNAT rule, the established socket is 22.214.171.124:port -> 192.168.1.10:80
7. Client send "GET " request to TPROXY Server
8. socket match find this packet doesn't match any socket. For its
sip, sport, dip,dport
is 126.96.36.199:port -> 188.8.131.52:80, while the established socket is
184.108.40.206:port -> 192.168.1.10:80
So in this case, match can't work correctly for DNAT rules. Anyone has
Thanks in advance!
BR. Wei Dong
More information about the tproxy