[tproxy] Trouble getting server side transparency to work
mingching.tiew at redtone.com
Mon May 19 19:57:56 CEST 2008
> Ravi Valmikam wrote:
>> However, I am having trouble with the server side socket. I
>> successfully bound the socket to a foriegn address (client's ip and
>> port 0) and initiated a connection to the real server. The TCP SYN is
>> going out of the box and SYN ACK is coming in. But this SYN ACK does
>> not make it into the socket layer (or atleast my program) and socket
>> stays in SYN_SENT state until time out.
>> Can you please help me with this? It feels so close but ...
Cameron Schaus wrote:
> This is a shot in the dark, but does your server have the correct ARP
> entry for the client? Unless your proxy is physically inline, the
> server will have the client machine's MAC for the client IP, and not the
> proxy MAC. Therefore packets will be sent directly to the client, which
> is not what you want.
> In the past I have added the client MAC as a static ARP entry on the
> server to work around this issue (for testing).
As far as I know that's an expected behaviour - because the return path
is destined for the foreign IP and not the proxy.
Adding a static ARP entry works for testing only, as this will result
in too many arp entries in a live network.
Either setup the system as a bridge ( and hence capable of hijacking
the return path ) or if the return path goes through some routers
where the routers will route the packets to your proxy.
More information about the tproxy