[tproxy] Problem with foreign connect using tproxy4

Pranav Desai pranavadesai at gmail.com
Wed Oct 29 03:15:54 CET 2008 

On Tue, Oct 28, 2008 at 6:54 PM, Pranav Desai <pranavadesai at gmail.com> wrote:
> Hello,
>
> I am trying to do a foreign connect with tproxy4.
>
> Here is what I have tried so far, seems like I have missed a few
> things since its not working for me.
>
> After applying the kernel patch for 2.6.24.7, I can get the pkts going
> out using a foreign address, I also see the syn ack pkts coming back
> from the server on the client machine, but client doesn't send an ack
> back. I am guessing that I missed something with the iptables rules ?
>
> The README suggests that I have to set the following rules and do the
> setsockopt for the foreign connect.
>
>        iptables -t mangle -N DIVERT
>        iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>        iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>        iptables -t mangle -A DIVERT -j ACCEPT
>
> For me the --set-xmark fails with:
> iptables v1.4.0: Unknown arg `--set-xmark'
> Try `iptables -h' or 'iptables --help' for more information.
>
> I have applied the tproxy patch for iptables-1.4.0
>
> Here is my mangle table. The UNKNOWN match seems suspicious.
>

Update:

The UNKNOWN is because I was printing out the table with unpatched
iptables. Sorry about that.

Here is the correct mangle table output

Chain PREROUTING (policy ACCEPT 258K packets, 36M bytes)
 pkts bytes target     prot opt in     out     source
destination
  395 29020 DIVERT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           socket

Chain INPUT (policy ACCEPT 76083 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 63346 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 63346 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain DIVERT (1 references)
 pkts bytes target     prot opt in     out     source
destination
  172 11704 MARK       all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK set 0x1
  117  7324 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

The --set-xmark command is still failing so I tried this:

iptables -t mangle -A DIVERT -j MARK --set-mark 0x1


But that didn't help. So any help is welcome.

-- Pranav


> Chain PREROUTING (policy ACCEPT 258K packets, 36M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>  138 11024 DIVERT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           UNKNOWN match `socket'
>
> Chain INPUT (policy ACCEPT 75192 packets, 11M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 62722 packets, 11M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain POSTROUTING (policy ACCEPT 62722 packets, 11M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain DIVERT (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>   32  2096 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> What am I missing here ? I would appreciate any help I can get.
>
> Also, are there any pointers explaining the different between tproxy2 and 4.
>
> Thanks
> -- Pranav
>

More information about the tproxy mailing list