[tproxy] Problem with foreign connect using tproxy4

Balazs Scheidler bazsi at balabit.hu
Wed Oct 29 15:20:24 CET 2008 

On Tue, 2008-10-28 at 19:15 -0700, Pranav Desai wrote:
> On Tue, Oct 28, 2008 at 6:54 PM, Pranav Desai <pranavadesai at gmail.com> wrote:
> > Hello,
> >
> > I am trying to do a foreign connect with tproxy4.
> >
> > Here is what I have tried so far, seems like I have missed a few
> > things since its not working for me.
> >
> > After applying the kernel patch for 2.6.24.7, I can get the pkts going
> > out using a foreign address, I also see the syn ack pkts coming back
> > from the server on the client machine, but client doesn't send an ack
> > back. I am guessing that I missed something with the iptables rules ?
> >
> > The README suggests that I have to set the following rules and do the
> > setsockopt for the foreign connect.
> >
> >        iptables -t mangle -N DIVERT
> >        iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> >        iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> >        iptables -t mangle -A DIVERT -j ACCEPT
> >
> > For me the --set-xmark fails with:
> > iptables v1.4.0: Unknown arg `--set-xmark'
> > Try `iptables -h' or 'iptables --help' for more information.
> >
> > I have applied the tproxy patch for iptables-1.4.0
> >
> > Here is my mangle table. The UNKNOWN match seems suspicious.
> >

> Here is the correct mangle table output
> 
> Chain PREROUTING (policy ACCEPT 258K packets, 36M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   395 29020 DIVERT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           socket
> 
> Chain INPUT (policy ACCEPT 76083 packets, 11M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain OUTPUT (policy ACCEPT 63346 packets, 12M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain POSTROUTING (policy ACCEPT 63346 packets, 12M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain DIVERT (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>   172 11704 MARK       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MARK set 0x1
>   117  7324 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> The --set-xmark command is still failing so I tried this:
> 
> iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
> 
> 
> But that didn't help. So any help is welcome.

Hm.. did you also set up proper policy routing rules? I mean the packets
marked with 0x1 should be routed to the local IP stack.

-- 
Bazsi

More information about the tproxy mailing list