[tproxy] iptables, kernel insmod problem

Tóth László Attila panther at elte.hu
Fri May 23 23:32:18 CEST 2008 

Hello,

Ritter, Nicholas wrote:
> I have a CentOS 5.1 box which I have custom compiled iptables and a
> kernel on. The version I am using are iptables 1.4.0, kernel 2.6.25.4,
> and tproxy 
> 
> (specifically: tproxy-iptables-1.4.0-20080521-113954-1211362794.patch,
> and 
> tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2 )
> 
> The problem I am having is that when I issue an iptables command to
> create a TPROXY rule, itpables errors saying that it can't initialize
> the TPROXY table. Normal I would assume that I had problems with the


There is no tproxy table, the older versions of TProxy uses this table, 
but the latest doesn't. TProxy-related rules are in the mangle table.

 From the README.txt:

    The following use-case assumes a transparent proxy listening on port
     50080 and any ip address (0.0.0.0).

     First, set up the routing rules with iproute2:

       ip rule add fwmark 1 lookup 100
       ip route add local 0.0.0.0/0 dev lo table 100

     Or, if you want to use packet marking for anything else, the least
     significant bit is enough for transparent proxying.

       ip rule add fwmark 0x1/0x1 lookup 100
       ip route add local 0.0.0.0/0 dev lo table 100

     Note that this latter example is only working with newer versions of
     iproute2.

     For supporting foreign address bind, the socket match is required with
     packet marking:

       iptables -t mangle -N DIVERT
       iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

       # DIVERT chain: mark packets and accept
       iptables -t mangle -A DIVERT -j MARK --set-mark 1
       iptables -t mangle -A DIVERT -j ACCEPT

     The last rule is for diverting traffic to the proxy:

       iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
               --tproxy-mark 0x1/0x1 --on-port 50080

     If it is a Squid-3 proxy, in /etc/squid/squid.conf the following
     rule is necessary for transparent proxying:

       http_port 50080 tproxy transparent

     Then set up the ACL rules according to your local policy.


Note that I missed to append the "transparent" option in the http_port 
directive in the README.txt, but without it, not all  transparent 
connections work, only where the HTTP request is something like:

GET http://example.com/ HTTP/1.0


Laszlo

> patches, compiling, etc. Everything patched cleanly, compiled fine, and
> installed fine. When I searched, I see the compiled libxt_TPROXY and
> xt_TPROXY.ko files in iptables build directory and the kernel modules
> directory. Isnmod xt_TROXY does not work.
> 
> I must have done something wrong somewhere, can someone offer so
> suggestions?
> 
> Nick
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy

More information about the tproxy mailing list