[tproxy] socket match can't work with DNAT rules
bazsi at balabit.hu
Wed Dec 17 22:24:27 CET 2008
On Tue, 2008-12-16 at 20:24 +0530, Arun Srinivasan wrote:
> With the tproxy server as given in my scenario, I have a lot of
> 1. The high-end caching (tproxy) server can offer thro'put advantages.
> 2. Original IP of the clients can be retained thro' tproxy support
> 3. Another IP based traffic identification/metering mechanism can sit
> between comp/tunneling-agent2 and the web server and monitor the
> whereas in the conventional scenario suggested by you, point # 2 and #
> 3 would fail.
> Tproxy4 socket is not a secure tunnel like that of IPSec to prevent
> DNATs from happening.
> IMHO, I feel that the tproxy-local DNAT issue is a kind of restriction
> in the name of a new feature.
true enough, older tproxies did support local OUTPUT rules, but the new
it might be possible to support it though with tproxy 4.1 (aka the
version of tproxy in linux 2.6.28):
* TPROXY rules live in the mangle table
* tproxy 4.1 diverts traffic using marks (e.g. it attaches a given mark,
and then your routing rules divert these packets to the local IP stack)
* you can possibly use the TPROXY target even in mangle/OUTPUT
* it might be possible to change the "socket" match in order to look up
the local socket based on the source address instead of the destination
address (it does not support this at the moment), or use an alternative
match to have a grab on the tproxied traffic
* the once you have a matching rule, you need to attach the same mark
used by the TPROXY rule, which will trigger the same policy routing
so technically it should be possible, however I don't really have time
to do that right now. I'd be willing to help you, if you are willing to
> 2008/12/16 Balazs Scheidler <bazsi at balabit.hu>
> On Tue, 2008-12-16 at 10:46 +0530, Arun Srinivasan wrote:
> > Hi,
> > Balazs comment 1:
> > "You cannot use DNAT and tproxy on the same connection. What
> do you
> > want
> > to achieve?"
> > This is a common scenario. Say you have an intermediate
> > agent/tunneling agent between the tproxy server and the web
> server as
> > shown below:
> > Client <--------> tproxy server <--------->
> > agent1 <=============> compression/tunneling agent2
> > <------------------> web server
> > In this case, the output from the tproxy server has to be
> DNATted or
> > policy routed to the compression/tunneling agent. Policy
> routing is
> > possible if the compression/tunneling agent lies outside the
> box. In
> > case, if it runs as another process along with the tproxy
> server, DNAT
> > is the only option, AFAIK.
> > Balazs comment 2:
> > "If you want to change the target address of the server side
> > connection,
> > why don't you DNAT the server connection? That should work."
> > Not able to understand what you exactly mean by "DNAT the
> > connection".
> > If my understanding is correct, Tproxy association is only
> for the
> > socket created between client and the tproxy server. If that
> is the
> > case, why does socket match failure happen for the socket
> > between tproxy server and DNAT server?
> No, tproxy _may_ operate for both the client->tproxy and the
> tproxy->server connections, not just between client & tproxy.
> However, you're right that tproxy does not support redirecting
> traffic if the upstream for tproxy is running on the same box,
> reason is simple, tproxy also uses routing to direct traffic
> to a local
> process, and it is not currently possible to divert outgoing
> back to the input interface. but never mind.
> So in the scenario above, what is the added value of using
> instead of plain, simple NAT.
> client -> REDIRECT in nat/PREROUTING -> proxy1 -> DNAT in
> nat/OUTPUT ->
> compression/tunneling agent1 <-> compression/tunneling agent2
> the added value of tproxy over using NAT is increased
> performance (no
> NAT is required) and solving the problems related to the
> conntrack table
> and local IP stack state to get out of sync.
> Arun S.
More information about the tproxy