[tproxy] Trouble getting server side transparency to work

Cameron Schaus cam at schaus.ca
Mon May 19 07:34:36 CEST 2008


This is a shot in the dark, but does your server have the correct ARP 
entry for the client?  Unless your proxy is physically inline, the 
server will have the client machine's MAC for the client IP, and not the 
proxy MAC.  Therefore packets will be sent directly to the client, which 
is not what you want.

In the past I have added the client MAC as a static ARP entry on the 
server to work around this issue (for testing).

Cam

Ravi Valmikam wrote:
> I am using the following versions of software:
>
> - Ubuntu 8.04 (Linux 2.6.24-14) Base Kernel
> - tproxy-2.6.24-20080509 patch
> (tproxy-kernel-2.6.24-20080509-164556-1210344356.tar.bz2)
> - iptables 1.4.0 (from netfilter.org website)
> - tproxy-iptables-svn-r7519-20080509-165158-1210344718.patch
>
> I am using the following script to setup the tproxy rules.
> ====================================
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 50080
> ====================================
>
> The host I am using is running as a router with eth0 connected to
> internet and eth1 connected to LAN.
>
> I have small a tcp proxy program running on this host. I enabled
> IP_TRANSPARENT on both sides (client side and server  side). The
> client side is working wonderfully fine. It accepts connections from
> the client (otherwise destined to the real server), can read and write
> packets through the accepted FD.
>
> However, I am having trouble with the server side socket. I
> successfully bound the socket to a foriegn address (client's ip and
> port 0) and initiated a connection to the real server. The TCP SYN is
> going out of the box and SYN ACK is coming in. But this SYN ACK does
> not make it into the socket layer (or atleast my program) and socket
> stays in SYN_SENT state until time out.
>
> Can you please help me with this? It feels so close but ...
>
> Thanks
> Ravi
>
>
> My iptables output looks like this:
> ======================
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DIVERT     tcp  --  anywhere             anywhere            socket
> TPROXY     tcp  --  anywhere             anywhere            tcp
> dpt:www TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain DIVERT (1 references)
> target     prot opt source               destination
> MARK       all  --  anywhere             anywhere            MARK set 0x1
> ACCEPT     all  --  anywhere             anywhere
> ====================================
>
> My modules listing looks like this:
> ====================================
> xt_tcpudp               4352  1
> xt_MARK                 3328  1
> xt_multiport            4480  0
> xt_socket               4224  1
> nf_conntrack           67136  1 xt_socket
> xt_TPROXY               3712  1
> nf_defrag_ipv4          3456  2 xt_socket,xt_TPROXY
> nf_tproxy_core          5376  2 xt_socket,xt_TPROXY,[permanent]
> x_tables               16388  6
> xt_tcpudp,xt_MARK,xt_multiport,xt_socket,xt_TPROXY,ip_tables
> ====================================
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>   



More information about the tproxy mailing list