[tproxy] Problem with foreign connect using tproxy4
Pranav Desai
pranavadesai at gmail.com
Wed Oct 29 02:54:48 CET 2008
Hello,
I am trying to do a foreign connect with tproxy4.
Here is what I have tried so far, seems like I have missed a few
things since its not working for me.
After applying the kernel patch for 2.6.24.7, I can get the pkts going
out using a foreign address, I also see the syn ack pkts coming back
from the server on the client machine, but client doesn't send an ack
back. I am guessing that I missed something with the iptables rules ?
The README suggests that I have to set the following rules and do the
setsockopt for the foreign connect.
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
iptables -t mangle -A DIVERT -j ACCEPT
For me the --set-xmark fails with:
iptables v1.4.0: Unknown arg `--set-xmark'
Try `iptables -h' or 'iptables --help' for more information.
I have applied the tproxy patch for iptables-1.4.0
Here is my mangle table. The UNKNOWN match seems suspicious.
Chain PREROUTING (policy ACCEPT 258K packets, 36M bytes)
pkts bytes target prot opt in out source
destination
138 11024 DIVERT tcp -- * * 0.0.0.0/0
0.0.0.0/0 UNKNOWN match `socket'
Chain INPUT (policy ACCEPT 75192 packets, 11M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 62722 packets, 11M bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 62722 packets, 11M bytes)
pkts bytes target prot opt in out source
destination
Chain DIVERT (1 references)
pkts bytes target prot opt in out source
destination
32 2096 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
What am I missing here ? I would appreciate any help I can get.
Also, are there any pointers explaining the different between tproxy2 and 4.
Thanks
-- Pranav
More information about the tproxy
mailing list