[tproxy] A general question on xt_socket

Arun Srinivasan hi2arun at gmail.com
Wed Oct 29 20:54:55 CET 2008


Thank you.

Currently am facing an issue.. dunno if it is an issue. please clarify.

In a Linux box with tproxy4 (tproxy4-2.6.26-200809262032), I have two
proxies, proxy-1 listening on port x and proxy-2 on port y.

With the tproxy rules (tproxy-mark, -m socket, and policy routing), I
could redirect the incoming traffic to proxy-1 that listens on port x.
However, the request from proxy-1 could not be redirected to proxy-2.

The second redirection from proxy-1 from proxy-2 is attempted through
NAT - OUTPUT rule.

The configured rules are given below:
++++++++++++ FOR PROXY-1 +++++++++++++++
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
<proxy-1 port> --tproxy-mark 0x1/0x1
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -N DIVERT
iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
iptables -t mangle -A DIVERT -j ACCEPT
+++++++++++++++++++++++++++++++++++++++++++++++


+++++++++++  FOR PROXY-2 +++++++++++++++++++++++++++++++++++++
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to <Interface
IP>:<proxy-2 port>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The rule for proxy-2 makes only the TCP-SYN packet from proxy-1 to be
redirected. Three-way handshake is not successful.

Am I missing out anything or is this the intended behavior?

Thank you.
Regards,
Arun S.

2008/10/29 Balazs Scheidler <bazsi at balabit.hu>:
> On Wed, 2008-10-29 at 20:57 +0530, Arun Srinivasan wrote:
>> Does this mean, there is an appropriate listening socket in the user space?
>
> not necessarily listening socket, but yes. a socket that is bound to the
> same address as the destination of the incoming packet.
>
>>
>> Apart from IP_TRANSPARENT for the socket option, is there any thing
>> else to be done before binding a socket?
>
> no.
>
>>
>> TIA
>>
>> 2008/10/29 Balazs Scheidler <bazsi at balabit.hu>:
>> > On Tue, 2008-10-28 at 18:22 +0530, Arun Srinivasan wrote:
>> >> Hi all,
>> >>
>> >> A general question:
>> >>
>> >> Say I have the following rules configured:
>> >>
>> >> +++++++++++++++++++++++++++++
>> >> iptables -t mangle -N DIVERT
>> >> iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT
>> >> iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
>> >> iptables -t mangle -A DIVERT -j ACCEPT
>> >> ++++++++++++++++++++++++++++++++++++
>> >>
>> >> In which case can the tcp packets go without hitting the rule
>> >> "iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT"?
>> >>
>> >
>> > if there's no applicable local socket to the packet in question, then -m
>> > socket will not match.
>> >
>> > a socket is applicable if the associated tuple (local ip:port, remote
>> > ip:port) matches the packet.
>> >
>> > related ICMP packets also match.
>> >
>> > --
>> > Bazsi
>> >
>> >
>>
>>
>>
> --
> Bazsi
>
>



-- 
Regards,
Arun S.


More information about the tproxy mailing list