[tproxy] netcat for tproxy (and additional noob questions)

John Lauro john.lauro at covenanteyes.com
Sun Jul 5 21:16:47 CEST 2009

> Ive been looking to put some better documentation together for what
> Lusca does for TPROXY4 (I'm guessing you're talking about that and not

I think so...  It's whatever is now standard in the kernel without extra

> In any case, the process is somewhat like this:
> * iptables/routing table setup - http://wiki.squid-
> cache.org/Features/Tproxy4

Ok, I was mostly there.  I was missing one critical rule.  I think I
understand it better now, as that wiki article does a little bit of
explaining as to why the rules.

> * create listen socket
> * setsockopt to make it transparent
> * bind() to, relevant port that you've redirected traffic to
> * listen() as usual
> Then, you accept() as usual, use getsockname() to determine the
> original destination. Then for the outbound socket:

Getsockname is returning back the source/client IP & port instead of the
original destination.  I will need that, but that's only half...  I'm
possibly just not passing the correct structure(?)  Switching a couple of
things around, instead it returns back the generic address I bound
as, which is not any better.  It might not help that I am tested it from a
slightly modified netcat instead of a more simple test and I am probably
overlooking something simple.  Perhaps next I'll try a more simple code test
from scratch instead of patching netcat.

At least now I am confident I have the rules in place so that can intercept
a stream.  I just have to be able to figure out where they were going...
(and then the other half which should be easier, recreating them as you

> * create socket
> * setsockopt to make it transparent
> * bind() to relevant IP (and port, or leave it 0 to let the stack
> choose a port IIRC)
Should I be able to reuse the original source port, or will that fail/cause
problems as it would already be in the connection table (except with
local/foreign reversed)?

> * connect() as usual
> I haven't yet really looked into the TPROXY4 kernel implementation to
> know precisely what is going on. I can't find some clear, concise
> documentation either explaining the "how" or "why" behind the iptables
> rules and why packets need to be punted via the loopback interface.

More information about the tproxy mailing list