[tproxy] socket match can't work with DNAT rules

Dong Wei dong_wei at cpsecure.com
Wed Dec 3 14:55:36 CET 2008


Hi, all

   I use the latest tproxy kernel.But I find that, tproxy can't work
with DNAT mode.

network topology:

Web Server(192.168.1.10)----(192.168.1.1)TPROXY
Server(202.0.0.1)---(202.0.0.10)Client

For TPROXY Server
eth0 192.168.1.1
eth1 202.0.0.1
When Client visit TPROXY Server(202.0.0.1) 80 port, we will redirect
it to Web Server.
There is a DNAT rule for it.

iptables -t nat -i eth1 -d 202.0.0.1 -p tcp --dport 80 -j DNAT
--to-destination 192.168.1.10

tproxy APP listen on port 50080, and the TPROXY target also set
--on-port 50080 for HTTP.
Here is the problem:
1. Client send SYN to 202.0.0.1:80
2. TPROXY Server receive it, and TPROXY target will redirect this packet
   to the socket which is listening on port 50080
3. TPROXY Server send SYN,ACK to the Client
4. Client receive SYN,ACK and send ACK
5. TPROXY Server receive ACK, TPROXY target will redirect this packet to the
   socket listening on port 50080
6. With DNAT rule, the established socket is 202.0.0.10:port -> 192.168.1.10:80
7. Client send "GET " request to TPROXY Server
8. socket match find this packet doesn't match any socket. For its
sip, sport, dip,dport
   is 202.0.0.10:port -> 202.0.0.1:80, while the established socket is
  202.0.0.10:port -> 192.168.1.10:80

So in this case, match can't work correctly for DNAT rules. Anyone has
good ideas?

Thanks in advance!

-- 
Thanks
BR. Wei Dong


More information about the tproxy mailing list