[tproxy] iptables, kernel insmod problem

Tóth László Attila panther at elte.hu
Fri May 23 23:32:18 CEST 2008


Ritter, Nicholas wrote:
> I have a CentOS 5.1 box which I have custom compiled iptables and a
> kernel on. The version I am using are iptables 1.4.0, kernel,
> and tproxy 
> (specifically: tproxy-iptables-1.4.0-20080521-113954-1211362794.patch,
> and 
> tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2 )
> The problem I am having is that when I issue an iptables command to
> create a TPROXY rule, itpables errors saying that it can't initialize
> the TPROXY table. Normal I would assume that I had problems with the

There is no tproxy table, the older versions of TProxy uses this table, 
but the latest doesn't. TProxy-related rules are in the mangle table.

 From the README.txt:

    The following use-case assumes a transparent proxy listening on port
     50080 and any ip address (

     First, set up the routing rules with iproute2:

       ip rule add fwmark 1 lookup 100
       ip route add local dev lo table 100

     Or, if you want to use packet marking for anything else, the least
     significant bit is enough for transparent proxying.

       ip rule add fwmark 0x1/0x1 lookup 100
       ip route add local dev lo table 100

     Note that this latter example is only working with newer versions of

     For supporting foreign address bind, the socket match is required with
     packet marking:

       iptables -t mangle -N DIVERT
       iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

       # DIVERT chain: mark packets and accept
       iptables -t mangle -A DIVERT -j MARK --set-mark 1
       iptables -t mangle -A DIVERT -j ACCEPT

     The last rule is for diverting traffic to the proxy:

       iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
               --tproxy-mark 0x1/0x1 --on-port 50080

     If it is a Squid-3 proxy, in /etc/squid/squid.conf the following
     rule is necessary for transparent proxying:

       http_port 50080 tproxy transparent

     Then set up the ACL rules according to your local policy.

Note that I missed to append the "transparent" option in the http_port 
directive in the README.txt, but without it, not all  transparent 
connections work, only where the HTTP request is something like:

GET http://example.com/ HTTP/1.0


> patches, compiling, etc. Everything patched cleanly, compiled fine, and
> installed fine. When I searched, I see the compiled libxt_TPROXY and
> xt_TPROXY.ko files in iptables build directory and the kernel modules
> directory. Isnmod xt_TROXY does not work.
> I must have done something wrong somewhere, can someone offer so
> suggestions?
> Nick
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy

More information about the tproxy mailing list