[tproxy] problem with tproxy and iptables

nantenaina Tianarivo rivo at gulfsat.mg
Wed Feb 20 11:11:40 CET 2008

Hello everybody,

I am tring to make tproxy work with our squid but I have a problem with
the iptable to redirect traffic to squid now.
I have compiled a linux kernel patched with
tproxy-4.0.3-2.6.22. and iptable 1.3.8. For squid, i'am using Version
I think my kernel is well compiled because I see all the tproxy module
loaded :

proxy:/usr/src/linux# lsmod | grep -i proxy
xt_tproxy               1984  0 
xt_TPROXY               1984  1 
iptable_tproxy          6468  2 xt_TPROXY
ip_tables              12420  2 iptable_filter,iptable_tproxy
x_tables               14564  5

My iptables rules is like this :

iptables -t tproxy -A PREROUTING -p tcp -m tcp  -i gre1 --dport 80 -j
iptables -t tproxy -A PREROUTING -p tcp -m tcp  -i gre1 --dport 80 -j
TPROXY --on-port 80

when I check it with tcpdump, I see traffic for http port on the gre1

proxy:/usr/src/linux# tcpdump -n -i gre1
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to
cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol
listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96
13:10:51.437856 IP > . ack 3247536657
win 2264 <nop,nop,timestamp 24199037 1582152>
13:10:51.492666 IP > . ack 3204902926
win 3604 <nop,nop,timestamp 24199051 1582156>
13:10:51.523999 IP > . ack 3189913679
win 16022 <nop,nop,timestamp 24199058 1582173>

when I check it on access.log of my squid, my requests are actually sent
to the squid.

But it is not the client ip which is sent to the Internet but the squid
box IP.

when I issue iptables-save -c command to check if there are traffic that
enter my iptables rule, the counter so zero traffic.

proxy:/usr/src/linux# iptables-save -t tproxy -c
# Generated by iptables-save v1.3.8 on Wed Feb 20 13:07:45 2008
[0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j LOG 
[0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j TPROXY --on-port
80 --on-ip 

even the LOG don't tell me anything about traffic in gre1 interfaces.

what I see in the log is this error that appear from time to time:

Feb 20 13:08:31 proxy squid[2353]: parseHttpRequest: NF
getsockopt(SO_ORIGINAL_DST) failed: (92) Protocol not available 
Feb 20 13:08:31 proxy squid[2353]: tproxy
ip=,0x11f0383e,port=0 ERROR ASSIGN 

Can anyone tell me why my iptables don't redirect the traffic to the

Best Regards

Nantenaina Tianarivo
Sys Admin Blueline
Today is what happened to yesterday.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20080220/30bf1ca9/attachment.htm 

More information about the tproxy mailing list