[tproxy] Problem with foreign connect using tproxy4

Pranav Desai pranavadesai at gmail.com
Thu Oct 30 03:08:10 CET 2008 

On Wed, Oct 29, 2008 at 7:20 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:
> On Tue, 2008-10-28 at 19:15 -0700, Pranav Desai wrote:
>> On Tue, Oct 28, 2008 at 6:54 PM, Pranav Desai <pranavadesai at gmail.com> wrote:
>> > Hello,
>> >
>> > I am trying to do a foreign connect with tproxy4.
>> >
>> > Here is what I have tried so far, seems like I have missed a few
>> > things since its not working for me.
>> >
>> > After applying the kernel patch for 2.6.24.7, I can get the pkts going
>> > out using a foreign address, I also see the syn ack pkts coming back
>> > from the server on the client machine, but client doesn't send an ack
>> > back. I am guessing that I missed something with the iptables rules ?
>> >
>> > The README suggests that I have to set the following rules and do the
>> > setsockopt for the foreign connect.
>> >
>> >        iptables -t mangle -N DIVERT
>> >        iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> >        iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>> >        iptables -t mangle -A DIVERT -j ACCEPT
>> >
>> > For me the --set-xmark fails with:
>> > iptables v1.4.0: Unknown arg `--set-xmark'
>> > Try `iptables -h' or 'iptables --help' for more information.
>> >
>> > I have applied the tproxy patch for iptables-1.4.0
>> >
>> > Here is my mangle table. The UNKNOWN match seems suspicious.
>> >
>
>> Here is the correct mangle table output
>>
>> Chain PREROUTING (policy ACCEPT 258K packets, 36M bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>   395 29020 DIVERT     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           socket
>>
>> Chain INPUT (policy ACCEPT 76083 packets, 11M bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>
>> Chain OUTPUT (policy ACCEPT 63346 packets, 12M bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>
>> Chain POSTROUTING (policy ACCEPT 63346 packets, 12M bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>
>> Chain DIVERT (1 references)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>   172 11704 MARK       all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           MARK set 0x1
>>   117  7324 ACCEPT     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>>
>> The --set-xmark command is still failing so I tried this:
>>
>> iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
>>
>>
>> But that didn't help. So any help is welcome.
>
> Hm.. did you also set up proper policy routing rules? I mean the packets
> marked with 0x1 should be routed to the local IP stack.
>

No I didn't. I thought that was only applicable to redirection. I am
still stuck with the tproxy2 thinking of tproxy being used only on the
web server side.

Its working after adding those rules.

Thanks a lot for your help.

-- Pranav

> --
> Bazsi
>
>

More information about the tproxy mailing list