[tproxy] socket match can't work with DNAT rules

Dong Wei dong_wei at cpsecure.com
Wed Dec 3 14:55:36 CET 2008

Hi, all

   I use the latest tproxy kernel.But I find that, tproxy can't work
with DNAT mode.

network topology:

Web Server(

For TPROXY Server
When Client visit TPROXY Server( 80 port, we will redirect
it to Web Server.
There is a DNAT rule for it.

iptables -t nat -i eth1 -d -p tcp --dport 80 -j DNAT

tproxy APP listen on port 50080, and the TPROXY target also set
--on-port 50080 for HTTP.
Here is the problem:
1. Client send SYN to
2. TPROXY Server receive it, and TPROXY target will redirect this packet
   to the socket which is listening on port 50080
3. TPROXY Server send SYN,ACK to the Client
4. Client receive SYN,ACK and send ACK
5. TPROXY Server receive ACK, TPROXY target will redirect this packet to the
   socket listening on port 50080
6. With DNAT rule, the established socket is ->
7. Client send "GET " request to TPROXY Server
8. socket match find this packet doesn't match any socket. For its
sip, sport, dip,dport
   is ->, while the established socket is ->

So in this case, match can't work correctly for DNAT rules. Anyone has
good ideas?

Thanks in advance!

BR. Wei Dong

More information about the tproxy mailing list