[tproxy] Problem with redirection from 80 to 8080 with -j TPROXY redirect

Pranav Desai pranavadesai at gmail.com
Mon Mar 2 21:16:01 CET 2009 

Hello All,

I am having some trouble redirecting port 80 traffic to 8080 using
tproxy for transparent proxying.
The SYNs come in but there is no SYN-ACK going out. the iptables -L do
show the rules being matched.

tcpdump output
--------------------
# tcpdump -nn -i eth1 port 8080 or port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

12:12:30.973583 IP 13.1.1.1.34879 > 172.16.55.205.80: S
2941026950:2941026950(0) win 5840 <mss 1460,sackOK,timestamp
3948186312 0,nop,wscale 7>
12:12:33.974329 IP 13.1.1.1.34879 > 172.16.55.205.80: S
2941026950:2941026950(0) win 5840 <mss 1460,sackOK,timestamp
3948189312 0,nop,wscale 7>

Kernel (with tproxy enabled) and Iptables Version
--------------------------------------------------------------
# iptables -V
iptables v1.4.3-rc1
# uname -a
Linux dev 2.6.28.3 #1 SMP Sun Mar 1 23:13:20 PST 2009 x86_64 x86_64
x86_64 GNU/Linux


I am only trying to get the first step of redirection working.

Are these instructions in the README enough, or do I need any thing else ?
<instructions>
    iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--on-port <proxyport>  --tproxy-mark 0x1/0x1

    ip rule add fwmark 1 lookup 100
    ip route add local 0.0.0.0/0 dev lo table 100
</instructions>

I do have 2 interfaces, does that have anything to do with the problem ?

I have even tried with the other mangle rules (the rules for socket
match) given in the README, but still no difference. I have given some
details below, but let me know if you need any other details.

Thanks
-- Pranav


mangle table (nat and filter table are empty)
--------------------------------------------------------
Chain PREROUTING (policy ACCEPT 31132 packets, 2279K bytes)
 pkts bytes target     prot opt in     out     source
destination
    3   180 TPROXY     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark
0x1/0x1

Chain INPUT (policy ACCEPT 33779 packets, 2304K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 36335 packets, 35M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 36355 packets, 35M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain DIVERT (0 references)
 pkts bytes target     prot opt in     out     source
destination


Here are my ip rule and route setting
---------------------------------------------
# ip rule ls
0:      from all lookup 255
32765:  from all fwmark 0x1 lookup 100
32766:  from all lookup main
32767:  from all lookup default

# ip route ls table 100
local default dev lo  scope host


Here are my modules.
---------------------------
# lsmod | egrep "xt|nf"
[root at vcadev httpd]# ip rule ls
xt_TPROXY               2944  1
xt_socket               3264  0
nf_tproxy_core          3200  2 xt_TPROXY,xt_socket,[permanent]
xt_MARK                 3456  0
nf_nat                 18580  2 ipt_REDIRECT,iptable_nat
nf_conntrack_ipv4      14680  3 iptable_nat,nf_nat
nf_conntrack           58984  4 xt_socket,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4          2560  3 xt_TPROXY,xt_socket,nf_conntrack_ipv4

More information about the tproxy mailing list