[tproxy] Problem with redirection from 80 to 8080 with -j TPROXY redirect

[Balazs Scheidler]

On Mon, 2009-03-02 at 12:16 -0800, Pranav Desai wrote:
> Hello All,
> 
> I am having some trouble redirecting port 80 traffic to 8080 using
> tproxy for transparent proxying.
> The SYNs come in but there is no SYN-ACK going out. the iptables -L do
> show the rules being matched.
> 
> tcpdump output
> --------------------
> # tcpdump -nn -i eth1 port 8080 or port 80
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
> 
> 12:12:30.973583 IP 13.1.1.1.34879 > 172.16.55.205.80: S
> 2941026950:2941026950(0) win 5840 <mss 1460,sackOK,timestamp
> 3948186312 0,nop,wscale 7>
> 12:12:33.974329 IP 13.1.1.1.34879 > 172.16.55.205.80: S
> 2941026950:2941026950(0) win 5840 <mss 1460,sackOK,timestamp
> 3948189312 0,nop,wscale 7>
> 
> Kernel (with tproxy enabled) and Iptables Version
> --------------------------------------------------------------
> # iptables -V
> iptables v1.4.3-rc1
> # uname -a
> Linux dev 2.6.28.3 #1 SMP Sun Mar 1 23:13:20 PST 2009 x86_64 x86_64
> x86_64 GNU/Linux
> 
> 
> I am only trying to get the first step of redirection working.
> 
> Are these instructions in the README enough, or do I need any thing else ?
> <instructions>
>     iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --on-port <proxyport>  --tproxy-mark 0x1/0x1
> 
>     ip rule add fwmark 1 lookup 100
>     ip route add local 0.0.0.0/0 dev lo table 100
> </instructions>
> 
> I do have 2 interfaces, does that have anything to do with the problem ?
> 
> I have even tried with the other mangle rules (the rules for socket
> match) given in the README, but still no difference. I have given some
> details below, but let me know if you need any other details.
> 
> Thanks
> -- Pranav

Hmm can you check that the SYN packets arrive at the filter/INPUT chain
as well? Just add a LOG rule in your INPUT chain.

-- 
Bazsi