[tproxy] netcat for tproxy (and additional noob questions)

KOVACS Krisztian hidden at sch.bme.hu
Wed Jul 8 12:09:33 CEST 2009


On sze, júl 08, 2009 at 02:19:41 +0800, Adrian Chadd wrote:
> 2009/7/7 KOVACS Krisztian <hidden at sch.bme.hu>:
> >> > Reusing the original port is usually a bad idea. A notable example of
> >> > things breaking is Netfilter connection tracking, which gets confused
> >> > if
> >> > you reuse the exact same endpoints for a different connection.
> >>
> >> Technically they are not the exact same if you include the interface.  If it
> >> doesn't consider the interface then they would appear the same.
> >
> > Netfilter conntrack is interface agnostic -- and you're right that it's
> > exactly that what's causing the problem here.
> So are you saying that the Linux TPROXY4 code as it stands won't
> handle the case of a client sending a connection out with a source
> port that the TPROXY4 proxy is currently using itself for a client IP
> spoofed connection?

No, it's just that if you happen to have Netfilter conntrack loaded it
won't work. This is a limitation of connection tracking.

Transparent proxy support in the kernel doesn't require connection
tracking, so if you're not using that the scenario above should work just

KOVACS Krisztian

More information about the tproxy mailing list