[tproxy] socket match can't work with DNAT rules

Arun Srinivasan hi2arun at gmail.com
Tue Dec 16 06:16:19 CET 2008


Hi,

Balazs comment 1:
"You cannot use DNAT and tproxy on the same connection. What do you want
to achieve?"

This is a common scenario. Say you have an intermediate compression
agent/tunneling agent between the tproxy server and the web server as shown
below:

Client <--------> tproxy server <---------> compression/tunneling agent1
<=============> compression/tunneling agent2 <------------------> web server

In this case, the output from the tproxy server has to be DNATted or policy
routed to the compression/tunneling agent. Policy routing is possible if the
compression/tunneling agent lies outside the box. In case, if it runs as
another process along with the tproxy server, DNAT is the only option,
AFAIK.

Balazs comment 2:
"If you want to change the target address of the server side connection,
why don't you DNAT the server connection? That should work."

Not able to understand what you exactly mean by "DNAT the server
connection".

If my understanding is correct, Tproxy association is only for the socket
created between client and the tproxy server. If that is the case, why does
socket match failure happen for the socket created between tproxy server and
DNAT server?

Regards,
Arun S.


2008/12/3 Balazs Scheidler <bazsi at balabit.hu>

> On Wed, 2008-12-03 at 21:55 +0800, Dong Wei wrote:
> > Hi, all
> >
> >    I use the latest tproxy kernel.But I find that, tproxy can't work
> > with DNAT mode.
> >
> > network topology:
> >
> > Web Server(192.168.1.10)----(192.168.1.1)TPROXY
> > Server(202.0.0.1)---(202.0.0.10)Client
> >
> > For TPROXY Server
> > eth0 192.168.1.1
> > eth1 202.0.0.1
> > When Client visit TPROXY Server(202.0.0.1) 80 port, we will redirect
> > it to Web Server.
> > There is a DNAT rule for it.
> >
> > iptables -t nat -i eth1 -d 202.0.0.1 -p tcp --dport 80 -j DNAT
> > --to-destination 192.168.1.10
> >
> > tproxy APP listen on port 50080, and the TPROXY target also set
> > --on-port 50080 for HTTP.
> > Here is the problem:
> > 1. Client send SYN to 202.0.0.1:80
> > 2. TPROXY Server receive it, and TPROXY target will redirect this packet
> >    to the socket which is listening on port 50080
> > 3. TPROXY Server send SYN,ACK to the Client
> > 4. Client receive SYN,ACK and send ACK
> > 5. TPROXY Server receive ACK, TPROXY target will redirect this packet to
> the
> >    socket listening on port 50080
> > 6. With DNAT rule, the established socket is 202.0.0.10:port ->
> 192.168.1.10:80
> > 7. Client send "GET " request to TPROXY Server
> > 8. socket match find this packet doesn't match any socket. For its
> > sip, sport, dip,dport
> >    is 202.0.0.10:port -> 202.0.0.1:80, while the established socket is
> >   202.0.0.10:port -> 192.168.1.10:80
> >
> > So in this case, match can't work correctly for DNAT rules. Anyone has
> > good ideas?
>
> You cannot use DNAT and tproxy on the same connection. What do you want
> to achieve?
>
> If you want to change the target address of the server side connection,
> why don't you DNAT the server connection? That should work.
>
> --
> Bazsi
>
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>



-- 
Regards,
Arun S.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20081216/9204b5f4/attachment.htm 


More information about the tproxy mailing list