[tproxy] tproxy 4.1.0 and kernel 2.6.24

Laszlo Attila Toth panther at balabit.hu
Mon Feb 4 15:09:42 CET 2008 

Hi,

Ming-Ching Tiew wrote:
 > tproxy 4.1.0 on kernel 2.6.24 is not working and I haven't tested any
 > other kernel
 > version  :-
 >
 > Issues
 > ======
 > 1. Failed to compile.
 >
 >     I fixed the compilation problem by taking two of the patches from
 > 2.6.25 and apply
 >     them onto 2.6.24, namely netfilter_ip_route_me_harder patch and
 >     inet_sock_and_route_dependency.patch.

AFAIK the older version is for 2.6.23 (in October), the newer for the 
net-2.6 (originally net-2.6.25), also 2.6.24 is not explicitly supported.

 > 2. socket in IP_TRANSPARENT mode failed to received return packets 
both in
 >     bridge mode and nat mode.
 >
 >    According to the docs, I have executed this script :-
 >
 >            iptables -t mangle -F
 >            iptables -t mangle -N DIVERT
 >            iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
 >            iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
 >                  --tproxy-mark 0x1/0x1 -on-port 3128
 >           iptables -t mangle -A DIVERT -j MARK --set-mark 1
 >           iptables -t mangle -A DIVERT -j ACCEPT
 >
 >    They were executed without any error.
 >

You may missed to set up routing:

  ip rule add fwmark 1 lookup 100
  ip route add local 0.0.0.0/0 dev lo table 100

It is required for tproxy.

 > 3. In the bridge mode case, when I execute a simple 'ip spoofing'
 > program ( which I posted
 >     here previously, but I changed IP_FREEBIND to IP_TRANSPARENT  ),
 > there packets
 >     appearing in the DIVERT target and the TPROXY target, but they are
 > delivered to
 >     the machined which IP has been spoofed ( by right they are supposed
 > to be delivered
 >     locally to the spoofing program ).

Does this occur when you use advanced routing?

 >
 > 4. In the nat mode, packets leaving the interface SNAT-ed and so there
 > are reply
 >     packets however the local socket program is not receiving either.
 > Packets do not
 >     hit the DIVERT and TPROXY targets at all, ie the iptables counter
 > return 0 bytes.
 >

We know this issue, we are going to fix this as soon as we find a good 
solution.

 > 5. When I execute ebtables commands on the br0 interface, there will be
 > kernel panic.

I'm afraid not familiar with ebtables.


-- 
Panther

More information about the tproxy mailing list