[tproxy] tproxy 4.1.0 and FWMARK

Laszlo Attila Toth panther at balabit.hu
Tue Feb 19 09:59:39 CET 2008 

Hello,

Ming-Ching Tiew wrote:
> OK I could confirm that the SNAT patch provided seems to work for me.
> 
> I have more questions on tproxy 4.1.0 and FWMARK :-
> 
>>            iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
>>                  --tproxy-mark 0x1/0x1 -on-port 3128
>>            iptables -t mangle -N DIVERT
>>            iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>            iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>            iptables -t mangle -A DIVERT -j ACCEPT
>>
>>            ip rule add fwmark 1 lookup 100
>>            ip route add local 0.0.0.0/0 dev lo table 100
> 
> If I have to do split access on outgoing traffic into multiple interfaces,
> I would already have use FWMARK in one way or other.
> 
> For example, for split outgoing access, I would have already mark 
> traffic going out to eth0 with FWMARK 5, and traffic going out to 
> eth1 with FWMARK 7. And I would already have these rules :-
> 
>       ip rule add fwmark 5 lookup 120
>       ip rule add fwmark 7 lookup 130
> 
> ( And table 120 will default route to gateway belonging to 
> interface 1 and table 130 will default route to gateway belonging
> to interface 2 ).
> 
> So how could I incorporate the tproxy mark into my existing use of
> FWMARK ?
> 


The mark is a uint32 value also the last bit may belong to tproxy,
everything else could be used for routing and so on. Also in your case
the routing requires even marks:

   ip rule add fwmark 4/0xfffffffe lookup 120
   ip rule add fwmark 6/0xfffffffe lookup 130


The following clears the last bit of the fwmark  (because the mask is
"0x1") and sets the last bit to 1 (the value is "0x1")

   iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
                  --tproxy-mark 0x1/0x1 -on-port 3128


   iptables -t mangle -N DIVERT
   iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

Sets the last bit only

   iptables -t mangle -A DIVERT -j MARK --set-mark 1/1
   iptables -t mangle -A DIVERT -j ACCEPT

Tproxy related rules
   ip rule add fwmark 1/1 lookup 100
   ip route add local 0.0.0.0/0 dev lo table 100


TProxy uses advanced routing for the incoming packets, your rules use it 
for the outgoing packets, also they are not the same.

HTH

-- 
Panther

More information about the tproxy mailing list