[tproxy] A general question on xt_socket
Balazs Scheidler
bazsi at balabit.hu
Thu Oct 30 11:22:09 CET 2008
On Thu, 2008-10-30 at 01:24 +0530, Arun Srinivasan wrote:
> Thank you.
>
> Currently am facing an issue.. dunno if it is an issue. please clarify.
>
> In a Linux box with tproxy4 (tproxy4-2.6.26-200809262032), I have two
> proxies, proxy-1 listening on port x and proxy-2 on port y.
>
> With the tproxy rules (tproxy-mark, -m socket, and policy routing), I
> could redirect the incoming traffic to proxy-1 that listens on port x.
> However, the request from proxy-1 could not be redirected to proxy-2.
>
> The second redirection from proxy-1 from proxy-2 is attempted through
> NAT - OUTPUT rule.
>
> The configured rules are given below:
> ++++++++++++ FOR PROXY-1 +++++++++++++++
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
> <proxy-1 port> --tproxy-mark 0x1/0x1
> ip rule add fwmark 0x1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
> iptables -t mangle -A DIVERT -j ACCEPT
> +++++++++++++++++++++++++++++++++++++++++++++++
>
>
> +++++++++++ FOR PROXY-2 +++++++++++++++++++++++++++++++++++++
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to <Interface
> IP>:<proxy-2 port>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> The rule for proxy-2 makes only the TCP-SYN packet from proxy-1 to be
> redirected. Three-way handshake is not successful.
>
> Am I missing out anything or is this the intended behavior?
This DNAT is a different matter, it has no connection to tproxy. Please
check where the SYN-ACK is going (via tcpdump), it should be properly
NAT-ed both ways.
Please check the conntrack table whether the appriopriate NAT mapping is
there.
--
Bazsi
More information about the tproxy
mailing list