[tproxy] Problem with redirection from 80 to 8080 with -j TPROXY redirect [SOLVED]

Pranav Desai pranavadesai at gmail.com
Tue Mar 3 19:33:05 CET 2009


Hello All,

Even the listen socket needs to have to setsockopt(IP_TRANSPARENT). I
missed that, I was doing it only for the backend connecting socket.

Thanks
-- Pranav

On Mon, Mar 2, 2009 at 12:16 PM, Pranav Desai <pranavadesai at gmail.com> wrote:
> Hello All,
>
> I am having some trouble redirecting port 80 traffic to 8080 using
> tproxy for transparent proxying.
> The SYNs come in but there is no SYN-ACK going out. the iptables -L do
> show the rules being matched.
>
> tcpdump output
> --------------------
> # tcpdump -nn -i eth1 port 8080 or port 80
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
>
> 12:12:30.973583 IP 13.1.1.1.34879 > 172.16.55.205.80: S
> 2941026950:2941026950(0) win 5840 <mss 1460,sackOK,timestamp
> 3948186312 0,nop,wscale 7>
> 12:12:33.974329 IP 13.1.1.1.34879 > 172.16.55.205.80: S
> 2941026950:2941026950(0) win 5840 <mss 1460,sackOK,timestamp
> 3948189312 0,nop,wscale 7>
>
> Kernel (with tproxy enabled) and Iptables Version
> --------------------------------------------------------------
> # iptables -V
> iptables v1.4.3-rc1
> # uname -a
> Linux dev 2.6.28.3 #1 SMP Sun Mar 1 23:13:20 PST 2009 x86_64 x86_64
> x86_64 GNU/Linux
>
>
> I am only trying to get the first step of redirection working.
>
> Are these instructions in the README enough, or do I need any thing else ?
> <instructions>
>    iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --on-port <proxyport>  --tproxy-mark 0x1/0x1
>
>    ip rule add fwmark 1 lookup 100
>    ip route add local 0.0.0.0/0 dev lo table 100
> </instructions>
>
> I do have 2 interfaces, does that have anything to do with the problem ?
>
> I have even tried with the other mangle rules (the rules for socket
> match) given in the README, but still no difference. I have given some
> details below, but let me know if you need any other details.
>
> Thanks
> -- Pranav
>
>
> mangle table (nat and filter table are empty)
> --------------------------------------------------------
> Chain PREROUTING (policy ACCEPT 31132 packets, 2279K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>    3   180 TPROXY     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark
> 0x1/0x1
>
> Chain INPUT (policy ACCEPT 33779 packets, 2304K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 36335 packets, 35M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain POSTROUTING (policy ACCEPT 36355 packets, 35M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain DIVERT (0 references)
>  pkts bytes target     prot opt in     out     source
> destination
>
>
> Here are my ip rule and route setting
> ---------------------------------------------
> # ip rule ls
> 0:      from all lookup 255
> 32765:  from all fwmark 0x1 lookup 100
> 32766:  from all lookup main
> 32767:  from all lookup default
>
> # ip route ls table 100
> local default dev lo  scope host
>
>
> Here are my modules.
> ---------------------------
> # lsmod | egrep "xt|nf"
> [root at vcadev httpd]# ip rule ls
> xt_TPROXY               2944  1
> xt_socket               3264  0
> nf_tproxy_core          3200  2 xt_TPROXY,xt_socket,[permanent]
> xt_MARK                 3456  0
> nf_nat                 18580  2 ipt_REDIRECT,iptable_nat
> nf_conntrack_ipv4      14680  3 iptable_nat,nf_nat
> nf_conntrack           58984  4 xt_socket,iptable_nat,nf_nat,nf_conntrack_ipv4
> nf_defrag_ipv4          2560  3 xt_TPROXY,xt_socket,nf_conntrack_ipv4
>


More information about the tproxy mailing list