[tproxy] Configuration for multiple listening sockets, none of them on 'lo'

Ashwani Wason ashwas at gmail.com
Thu Jul 30 02:57:32 CEST 2009 

Hi All,

I have a transparent proxy, which I want to listen on four VLAN
interfaces on 2.6.30 kernel. Various reasons, but the proxy cannot
listen on 'lo' or on INADDR_ANY. The interfaces are eth0.31 through
eth0.34 and the proxy opens one listening socket per interface. All
listening sockets are bound to the same port, 2345. I am trying to set
up rules similar to what has been documented so far. This is what I
have - the idea is to mark all packets identically (with mark 1) based
on destination port 80 but using IP rules have them lookup a different
routing table based on the incoming interface. The routing table would
then deliver the packet to the corresponding physical interface. The
problem is that the proxy never sees these connections (netstat –ant
also does not show them, which means that IP is not delivering them).

> "iptables -t mangle -N DIVERT"
> "iptables -t mangle -A DIVERT -j MARK --set-mark 1"
> "iptables -t mangle -A DIVERT -j ACCEPT"
> "iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT"
> "iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 2345"
>
> "ip rule add fwmark 1 iif eth0.31 lookup 101"
> "ip route add local 0.0.0.0/0 dev eth0.31 table 101"
>
> "ip rule add fwmark 1 iif eth0.32 lookup 102"
> "ip route add local 0.0.0.0/0 dev eth0.32 table 102"
>
> "ip rule add fwmark 1 iif eth0.33 lookup 103"
> "ip route add local 0.0.0.0/0 dev eth0.33 table 103"
>
> "ip rule add fwmark 1 iif eth0.34 lookup 104"
> "ip route add local 0.0.0.0/0 dev eth0.34 table 104"

There is not much in the man page about the 'dev' argument of 'ip
route add' other than that it is the output device name. Perhaps my
interpretation is incorrect.

The IP tables rules are working okay, as the "hit count" of pkts and
bytes keeps going up in the output of 'iptables -t mangle -L -nv'. I
am not sure what is happening thereafter. The packets are seemingly
going into a black hole because 'netstat -sw' does not show them
discarded, delivered, or forwarded.

[root@]# netstat -sw
Ip:
    1859156 total packets received
    0 forwarded
    18 with unknown protocol
    0 incoming packets discarded
    3917 incoming packets delivered
    2692 requests sent out

Can you please help identify what is going on? If this has already
been posted elsewhere then please let me know.

Thanks,
- Ashwani

More information about the tproxy mailing list