[tproxy] Trouble getting server side transparency to work

Ravi Valmikam valmikam at gmail.com
Mon May 19 01:46:31 CEST 2008

I am using the following versions of software:

- Ubuntu 8.04 (Linux 2.6.24-14) Base Kernel
- tproxy-2.6.24-20080509 patch
- iptables 1.4.0 (from netfilter.org website)
- tproxy-iptables-svn-r7519-20080509-165158-1210344718.patch

I am using the following script to setup the tproxy rules.
ip rule add fwmark 1 lookup 100
ip route add local dev lo table 100
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 50080

The host I am using is running as a router with eth0 connected to
internet and eth1 connected to LAN.

I have small a tcp proxy program running on this host. I enabled
IP_TRANSPARENT on both sides (client side and server  side). The
client side is working wonderfully fine. It accepts connections from
the client (otherwise destined to the real server), can read and write
packets through the accepted FD.

However, I am having trouble with the server side socket. I
successfully bound the socket to a foriegn address (client's ip and
port 0) and initiated a connection to the real server. The TCP SYN is
going out of the box and SYN ACK is coming in. But this SYN ACK does
not make it into the socket layer (or atleast my program) and socket
stays in SYN_SENT state until time out.

Can you please help me with this? It feels so close but ...


My iptables output looks like this:
target     prot opt source               destination
DIVERT     tcp  --  anywhere             anywhere            socket
TPROXY     tcp  --  anywhere             anywhere            tcp
dpt:www TPROXY redirect mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

target     prot opt source               destination

Chain DIVERT (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere            MARK set 0x1
ACCEPT     all  --  anywhere             anywhere

My modules listing looks like this:
xt_tcpudp               4352  1
xt_MARK                 3328  1
xt_multiport            4480  0
xt_socket               4224  1
nf_conntrack           67136  1 xt_socket
xt_TPROXY               3712  1
nf_defrag_ipv4          3456  2 xt_socket,xt_TPROXY
nf_tproxy_core          5376  2 xt_socket,xt_TPROXY,[permanent]
x_tables               16388  6

More information about the tproxy mailing list