[tproxy] Trouble getting server side transparency to work

Ming-Ching Tiew mingching.tiew at redtone.com
Mon May 19 19:57:56 CEST 2008

> Ravi Valmikam wrote:
>> However, I am having trouble with the server side socket. I
>> successfully bound the socket to a foriegn address (client's ip and
>> port 0) and initiated a connection to the real server. The TCP SYN is
>> going out of the box and SYN ACK is coming in. But this SYN ACK does
>> not make it into the socket layer (or atleast my program) and socket
>> stays in SYN_SENT state until time out.
>> Can you please help me with this? It feels so close but ...
Cameron Schaus wrote:
> This is a shot in the dark, but does your server have the correct ARP 
> entry for the client?  Unless your proxy is physically inline, the 
> server will have the client machine's MAC for the client IP, and not the 
> proxy MAC.  Therefore packets will be sent directly to the client, which 
> is not what you want.
> In the past I have added the client MAC as a static ARP entry on the 
> server to work around this issue (for testing).
> Cam

As far as I know that's an expected behaviour - because the return path
is destined for the foreign IP and not the proxy.

Adding a static ARP entry works for testing only, as this will result
in too many arp entries in a live network.

Either setup the system as a bridge ( and hence capable of hijacking
the return path ) or if the return path goes through some routers
where the routers will route the packets to your proxy.


More information about the tproxy mailing list