[tproxy] Configuration for multiple listening sockets, none of them on 'lo'

KOVACS Krisztian hidden at sch.bme.hu
Fri Jul 31 12:01:24 CEST 2009


On sze, júl 29, 2009 at 05:57:32 -0700, Ashwani Wason wrote:
> Hi All,
> I have a transparent proxy, which I want to listen on four VLAN
> interfaces on 2.6.30 kernel. Various reasons, but the proxy cannot
> listen on 'lo' or on INADDR_ANY. The interfaces are eth0.31 through
> eth0.34 and the proxy opens one listening socket per interface. All
> listening sockets are bound to the same port, 2345. I am trying to set
> up rules similar to what has been documented so far. This is what I
> have - the idea is to mark all packets identically (with mark 1) based
> on destination port 80 but using IP rules have them lookup a different
> routing table based on the incoming interface. The routing table would
> then deliver the packet to the corresponding physical interface. The
> problem is that the proxy never sees these connections (netstat –ant
> also does not show them, which means that IP is not delivering them).
> > "iptables -t mangle -N DIVERT"
> > "iptables -t mangle -A DIVERT -j MARK --set-mark 1"
> > "iptables -t mangle -A DIVERT -j ACCEPT"
> > "iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT"
> > "iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 2345"
> >
> > "ip rule add fwmark 1 iif eth0.31 lookup 101"
> > "ip route add local dev eth0.31 table 101"
> >
> > "ip rule add fwmark 1 iif eth0.32 lookup 102"
> > "ip route add local dev eth0.32 table 102"
> >
> > "ip rule add fwmark 1 iif eth0.33 lookup 103"
> > "ip route add local dev eth0.33 table 103"
> >
> > "ip rule add fwmark 1 iif eth0.34 lookup 104"
> > "ip route add local dev eth0.34 table 104"

Instead of using multiple IP rules and routing tables, I'd suggest using
multiple TPROXY targets, plus make use of the --on-ip argument of the
TPROXY target.

Something like this:

iptables -t mangle -A PREROUTING -i eth0.31 -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-ip PROXY_IP_FOR_VLAN_31 --on-port 2345
iptables -t mangle -A PREROUTING -i eth0.32 ...

And stick to the recommended routing setup (just one extra routing table
and one route).

KOVACS Krisztian

