[tproxy] tproxy 4.1.0 and kernel 2.6.24
mingching.tiew at redtone.com
Sat Feb 2 22:03:21 CET 2008
tproxy 4.1.0 on kernel 2.6.24 is not working and I haven't tested any
1. Failed to compile.
I fixed the compilation problem by taking two of the patches from
2.6.25 and apply
them onto 2.6.24, namely netfilter_ip_route_me_harder patch and
2. socket in IP_TRANSPARENT mode failed to received return packets both in
bridge mode and nat mode.
According to the docs, I have executed this script :-
iptables -t mangle -F
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
--tproxy-mark 0x1/0x1 -on-port 3128
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
They were executed without any error.
3. In the bridge mode case, when I execute a simple 'ip spoofing'
program ( which I posted
here previously, but I changed IP_FREEBIND to IP_TRANSPARENT ),
appearing in the DIVERT target and the TPROXY target, but they are
the machined which IP has been spoofed ( by right they are supposed
to be delivered
locally to the spoofing program ).
4. In the nat mode, packets leaving the interface SNAT-ed and so there
packets however the local socket program is not receiving either.
Packets do not
hit the DIVERT and TPROXY targets at all, ie the iptables counter
return 0 bytes.
5. When I execute ebtables commands on the br0 interface, there will be
Example of the commands which can cause panic :-
ebtables -t broute -A BROUTING --logical-in br0 -p
ipv4 --ip-protocol tcp \
--ip-destination-port 80 -j redirect
This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it.
More information about the tproxy