[tproxy] problem with tproxy and iptables

Laszlo Attila Toth panther at balabit.hu
Thu Feb 21 15:05:26 CET 2008


Hi,

nantenaina Tianarivo wrote:
> I have already tried to load the tproxy table with the tproxy_any 
> parameter as you describe because I have seen this in the archive but it 
> didn't solve the problem
> 

Strange. It works for me with netcat:

On 192.168.10.1 as in 4.0.3's README:
   echo 1 >/proc/sys/net/ipv4/ip_nonlocal_bind
   modprobe iptable_tproxy tproxy_any=1

   nc -s 192.168.4.7 -p 55  192.168.10.2 678

On 192.168.10.2:

   ip route add 192.168.4.0/24 via 192.168.10.1
   nc -lp 678

The TCP connection is established and data arrive to the other side as 
expected.



> 
> On mer, 2008-02-20 at 11:45 +0100, Laszlo Attila Toth wrote:
>> Hello,
>>
>> nantenaina Tianarivo írta:
>> > Hello everybody,
>> > 
>> > I am tring to make tproxy work with our squid but I have a problem with 
>> > the iptable to redirect traffic to squid now.
>> > I have compiled a linux kernel 2.6.22.18 patched with 
>> > tproxy-4.0.3-2.6.22. and iptable 1.3.8. For squid, i'am using Version 
>> > 2.6.STABLE5.
>> > I think my kernel is well compiled because I see all the tproxy module 
>> > loaded :
>> > 
>> > proxy:/usr/src/linux# lsmod | grep -i proxy
>> > xt_tproxy               1984  0
>> > xt_TPROXY               1984  1
>> > iptable_tproxy          6468  2 xt_TPROXY
>> > ip_tables              12420  2 iptable_filter,iptable_tproxy
>> > x_tables               14564  5 
>> > ipt_LOG,xt_tcpudp,xt_tproxy,xt_TPROXY,ip_tables
>> > 
>> > 
>> > My iptables rules is like this :
>> > 
>> > iptables -t tproxy -A PREROUTING -p tcp -m tcp  -i gre1 --dport 80 -j LOG
>> > iptables -t tproxy -A PREROUTING -p tcp -m tcp  -i gre1 --dport 80 -j 
>> > TPROXY --on-port 80
>> > 
>> > when I check it with tcpdump, I see traffic for http port on the gre1 
>> > interface
>> > 
>> > proxy:/usr/src/linux# tcpdump -n -i gre1
>> > tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to 
>> > cooked socket
>> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> > listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
>> > 13:10:51.437856 IP 62.56.240.17.3200 > 84.16.80.10.80: . ack 3247536657 
>> > win 2264 <nop,nop,timestamp 24199037 1582152>
>> > 13:10:51.492666 IP 62.56.240.17.3199 > 84.16.80.10.80: . ack 3204902926 
>> > win 3604 <nop,nop,timestamp 24199051 1582156>
>> > 13:10:51.523999 IP 62.56.240.17.3198 > 84.16.80.10.80: . ack 3189913679 
>> > win 16022 <nop,nop,timestamp 24199058 1582173>
>> > 
>> > when I check it on access.log of my squid, my requests are actually sent 
>> > to the squid.
>> > 
>> > But it is not the client ip which is sent to the Internet but the squid 
>> > box IP.
>> > 
>> > when I issue iptables-save -c command to check if there are traffic that 
>> > enter my iptables rule, the counter so zero traffic.
>> > 
>> > proxy:/usr/src/linux# iptables-save -t tproxy -c
>> > # Generated by iptables-save v1.3.8 on Wed Feb 20 13:07:45 2008
>> > *tproxy
>> > :PREROUTING ACCEPT [128:11992]
>> > [0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j LOG
>> > [0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j TPROXY --on-port 
>> > 80 --on-ip 0.0.0.0
>> > COMMIT
>> > 
>> > even the LOG don't tell me anything about traffic in gre1 interfaces.
>> > 
>> > what I see in the log is this error that appear from time to time:
>> > 
>> > Feb 20 13:08:31 proxy squid[2353]: parseHttpRequest: NF 
>> > getsockopt(SO_ORIGINAL_DST) failed: (92) Protocol not available
>> > Feb 20 13:08:31 proxy squid[2353]: tproxy 
>> > ip=62.56.240.17,0x11f0383e,port=0 ERROR ASSIGN
>>
>> It seems you want to use the squid with tproxy patch for tproxyv2 but 
>> you use tproxyv4. They are incompatible. The iptables commands are the 
>> same but the tproxy4 kernel code is different.
>>
>> When the squid uses tproxy-specific commands, there should be only one 
>> clall: set the socket option IP_FREEBIND, _or_ load the tproxy table 
>> with the tproxy_any parameter:
>>
>>    modprobe iptable_tproxy tproxy_any=1
>>


-- 
Panther


More information about the tproxy mailing list