[tproxy] netcat for tproxy (and additional noob questions)

KOVACS Krisztian hidden at sch.bme.hu
Wed Jul 8 12:09:33 CEST 2009


Hi,

On sze, júl 08, 2009 at 02:19:41 +0800, Adrian Chadd wrote:
> 2009/7/7 KOVACS Krisztian <hidden at sch.bme.hu>:
> 
> >> > Reusing the original port is usually a bad idea. A notable example of
> >> > things breaking is Netfilter connection tracking, which gets confused
> >> > if
> >> > you reuse the exact same endpoints for a different connection.
> >>
> >> Technically they are not the exact same if you include the interface.  If it
> >> doesn't consider the interface then they would appear the same.
> >
> > Netfilter conntrack is interface agnostic -- and you're right that it's
> > exactly that what's causing the problem here.
> 
> So are you saying that the Linux TPROXY4 code as it stands won't
> handle the case of a client sending a connection out with a source
> port that the TPROXY4 proxy is currently using itself for a client IP
> spoofed connection?

No, it's just that if you happen to have Netfilter conntrack loaded it
won't work. This is a limitation of connection tracking.

Transparent proxy support in the kernel doesn't require connection
tracking, so if you're not using that the scenario above should work just
fine.

-- 
KOVACS Krisztian


More information about the tproxy mailing list