[tproxy] tproxy can't work with ip_conntrack

Balazs Scheidler bazsi at balabit.hu
Sun Oct 26 22:19:12 CET 2008

On Thu, 2008-10-23 at 10:24 +0800, Dong Wei wrote:
> Hi,
> 2008/10/23 NTPT <NTPT at seznam.cz>:
> > I thing there is no need to track connction from client to TPROXY server.
> >
> > And what about to move -m socket match and other stuff to the raw conntrack table  and then use a -j NOTRACK target to selectively  do not conntrack connections from client to tproxy server, while other connections, include from tproxy server to the world , will be still conntracked ?
> >
> > please  execuse my wrong english
> I think it's hard for us to check whether a TCP packet belongs to a
> tproxy socket. When we receive a SYN from the client, we can't make
> sure this packet belongs to a tproxy socket before the packet travel
> to TPROXY target in mangle table PREROUTING chain.
> Here is an sample:
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
> --tproxy-mark 0x1/0x1 --on-port 50080
> When TPROXY target handle the SYN packet, find the dport is 80, then
> it will look up the tproxy socket listening on 50080.  But in raw
> table we don't know which listening port should we take when we find
> the SYN packet dport is 80.
> I think maybe we need write a match like TPROXY, all the matched
> packet do NOTRACK

Well, tproxy could be made working in the raw table as well, technically
there are no differences between mangle and raw, apart from their
netfilter priorities.

But also, I think it is quite easy to add a rule to raw/OUTPUT which
applies NOTRACK on all tproxied connections, something like:

iptables -t raw -A OUTPUT -m addrtype ! --src-type LOCAL -j NOTRACK

The only question is how to match the reverse direction, but you
probably could match that by interface or something.


More information about the tproxy mailing list