[tproxy] A general question on xt_socket

Arun Srinivasan hi2arun at gmail.com
Fri Oct 31 06:50:48 CET 2008 

Yes. I verified that.

Also fy/i, when I enable simplex transparency (only to the client),
proxy-1 to proxy-2 communication is successful. Find below the rules
used for this scenario:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to <proxy-1 port>
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to <intf-ip>:<proxy2-port>

With tproxy-mark enabled, am not able to achieve this. Also it was
observed that the conntrack state for the OUTPUT-NAT immediately gets
into CLOSE state as shown below.

ipv4     2 tcp      6 8 CLOSE src=<client-IP> dst=<web_server-IP>
sport=61000 dport=80 packets=3 bytes=140 src=<intf-ip> dst=<client-IP>
sport=<proxy2-port> dport=61000 packets=1 bytes=60 mark=0 secmark=0
use=1

I doubt if it has got something to do with policy routing and the socket match.


2008/10/30 Balazs Scheidler <bazsi at balabit.hu>:
> On Thu, 2008-10-30 at 01:24 +0530, Arun Srinivasan wrote:
>> Thank you.
>>
>> Currently am facing an issue.. dunno if it is an issue. please clarify.
>>
>> In a Linux box with tproxy4 (tproxy4-2.6.26-200809262032), I have two
>> proxies, proxy-1 listening on port x and proxy-2 on port y.
>>
>> With the tproxy rules (tproxy-mark, -m socket, and policy routing), I
>> could redirect the incoming traffic to proxy-1 that listens on port x.
>> However, the request from proxy-1 could not be redirected to proxy-2.
>>
>> The second redirection from proxy-1 from proxy-2 is attempted through
>> NAT - OUTPUT rule.
>>
>> The configured rules are given below:
>> ++++++++++++ FOR PROXY-1 +++++++++++++++
>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
>> <proxy-1 port> --tproxy-mark 0x1/0x1
>> ip rule add fwmark 0x1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> +++++++++++++++++++++++++++++++++++++++++++++++
>>
>>
>> +++++++++++  FOR PROXY-2 +++++++++++++++++++++++++++++++++++++
>> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to <Interface
>> IP>:<proxy-2 port>
>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>> The rule for proxy-2 makes only the TCP-SYN packet from proxy-1 to be
>> redirected. Three-way handshake is not successful.
>>
>> Am I missing out anything or is this the intended behavior?
>
> This DNAT is a different matter, it has no connection to tproxy. Please
> check where the SYN-ACK is going (via tcpdump), it should be properly
> NAT-ed both ways.
>
> Please check the conntrack table whether the appriopriate NAT mapping is
> there.
>
> --
> Bazsi
>
>



-- 
Regards,
Arun S.

More information about the tproxy mailing list