[tproxy] tproxy can't work with ip_conntrack
Balazs Scheidler
bazsi at balabit.hu
Sun Oct 26 22:19:12 CET 2008
On Thu, 2008-10-23 at 10:24 +0800, Dong Wei wrote:
> Hi,
>
> 2008/10/23 NTPT <NTPT at seznam.cz>:
> > I thing there is no need to track connction from client to TPROXY server.
> >
> > And what about to move -m socket match and other stuff to the raw conntrack table and then use a -j NOTRACK target to selectively do not conntrack connections from client to tproxy server, while other connections, include from tproxy server to the world , will be still conntracked ?
> >
> > please execuse my wrong english
>
> I think it's hard for us to check whether a TCP packet belongs to a
> tproxy socket. When we receive a SYN from the client, we can't make
> sure this packet belongs to a tproxy socket before the packet travel
> to TPROXY target in mangle table PREROUTING chain.
> Here is an sample:
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
> --tproxy-mark 0x1/0x1 --on-port 50080
> When TPROXY target handle the SYN packet, find the dport is 80, then
> it will look up the tproxy socket listening on 50080. But in raw
> table we don't know which listening port should we take when we find
> the SYN packet dport is 80.
>
> I think maybe we need write a match like TPROXY, all the matched
> packet do NOTRACK
Well, tproxy could be made working in the raw table as well, technically
there are no differences between mangle and raw, apart from their
netfilter priorities.
But also, I think it is quite easy to add a rule to raw/OUTPUT which
applies NOTRACK on all tproxied connections, something like:
iptables -t raw -A OUTPUT -m addrtype ! --src-type LOCAL -j NOTRACK
The only question is how to match the reverse direction, but you
probably could match that by interface or something.
--
Bazsi
More information about the tproxy
mailing list