[tproxy] [HELP] Tproxy server Can't receive any client packet

JeHo Park linuxpark at gmail.com
Mon Nov 23 09:09:59 CET 2009


Hello everyone ~

i have a problem in my transparent proxy test,
i recently made up the testbed as below to run the tproxy patched
apache proxy [mod_proxy],
and i applied all iptables and routing rules with referencing the
readme file [http://www.balabit.com/downloads/files/tproxy/README.txt,
http://www.mjmwired.net/kernel/Documentation/networking/tproxy.txt]
the proxy server listening the port 3128 and i checked there were no problem.
but  when the client tried to connect the web server,
the packets reached to the box and i found the usage counts of filter
rules in the mangle table incresed
but my tproxy server could not receive any corresponding packet from the socket

I want to know why my proxy server can't receive any packet through the socket,
Do i need some more DNAT rules ?



----------------       testbed  ---------------

[client ] <-----> [tproxy patched apache mod_proxy] <-----> [web server]
                     ---------------------------------------------------
                                         proxybox


[Environment of the tproxy server]
       1. kernel
               kernel 2.6.24  +
tproxy-kernel-2.6.24-20080602-165651-1212418611.tar.bz2
               [http://www.balabit.com/downloads/files/tproxy/tproxy-kernel-2.6.24-20080602-165651-1212418611.tar.bz2]

       2. iptables
               iptables 4.0  +
tproxy-iptables-1.4.0-20080521-113954-1211362794.patch
               [http://www.balabit.com/downloads/files/tproxy/tproxy-iptables-1.4.0-20080521-113954-1211362794.patch]

       3. apache
               apache 2.2.9  +  httpd-2.2.9-tproxy.patch [i got this
patch from google and ported it to this version ]


      4. iptables and routing rules

         #!/bin/sh
         IPTABLES=/usr/local/sbin/iptables

         ${IPTABLES} -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to 127.0.0.1:3128

         ${IPTABLES} -t mangle -N DIVERT
         ${IPTABLES} -t mangle -A DIVERT -j MARK --set-mark 1
         ${IPTABLES} -t mangle -A DIVERT -j ACCEPT
         ${IPTABLES} -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
         ${IPTABLES} -t mangle -A PREROUTING -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3128

         ip rule add fwmark 0x1/0x1 lookup 100
         ip route add local 0.0.0.0/0 dev lo table 100

         sysctl net.ipv4.ip_nonlocal_bind=1
         sysctl net.ipv4.ip_forward=1


here are the config files of the kernel and apache proxy

previously thanks~
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpd-2.2.9-tproxy.patch
Type: application/octet-stream
Size: 14589 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20091123/3214f113/attachment-0003.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config-2.6.24
Type: application/octet-stream
Size: 87770 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20091123/3214f113/attachment-0004.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpd.conf
Type: application/octet-stream
Size: 14001 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20091123/3214f113/attachment-0005.obj 


More information about the tproxy mailing list