[tproxy] tproxy 4.1.0 and kernel 2.6.24

Ming-Ching Tiew mingching.tiew at redtone.com
Sat Feb 2 22:03:21 CET 2008

tproxy 4.1.0 on kernel 2.6.24 is not working and I haven't tested any 
other kernel
version  :-

1. Failed to compile.

    I fixed the compilation problem by taking two of the patches from 
2.6.25 and apply
    them onto 2.6.24, namely netfilter_ip_route_me_harder patch and

2. socket in IP_TRANSPARENT mode failed to received return packets both in
    bridge mode and nat mode.

   According to the docs, I have executed this script :-

           iptables -t mangle -F
           iptables -t mangle -N DIVERT
           iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
           iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
                 --tproxy-mark 0x1/0x1 -on-port 3128  
          iptables -t mangle -A DIVERT -j MARK --set-mark 1
          iptables -t mangle -A DIVERT -j ACCEPT

   They were executed without any error.

3. In the bridge mode case, when I execute a simple 'ip spoofing' 
program ( which I posted
    here previously, but I changed IP_FREEBIND to IP_TRANSPARENT  ), 
there packets
    appearing in the DIVERT target and the TPROXY target, but they are 
delivered to
    the machined which IP has been spoofed ( by right they are supposed 
to be delivered
    locally to the spoofing program ).

4. In the nat mode, packets leaving the interface SNAT-ed and so there 
are reply
    packets however the local socket program is not receiving either. 
Packets do not
    hit the DIVERT and TPROXY targets at all, ie the iptables counter 
return 0 bytes.

5. When I execute ebtables commands on the br0 interface, there will be 
kernel panic.
     Example of the commands which can cause panic :-

                 ebtables -t broute -A BROUTING --logical-in br0 -p 
ipv4  --ip-protocol tcp \
                    --ip-destination-port 80 -j redirect 
--redirect-target ACCEPT


Important Warning! 


This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it.

More information about the tproxy mailing list