[tproxy] TPROXY4 and TPROXY2

Zhuang Yuyao mlistz at gmail.com
Wed Oct 21 07:52:21 CEST 2009


I am writing a proxy program using tproxy features to provide
transparent proxy on linux platform. the previous version of the proxy
is running on kernel 2.6.17 + tproxy2, the new version is running on
kernel 2.6.28 + tproxy4.

the simple net topo looks like this: -> -> running apache2)

with tproxy2, all i have to do is to add the following code:

* modprobe iptable_tproxy
* modprobe ipt_tproxy

1) accept client connection
2) determine which address to bind. in the case above, it is
3) assign client address and set connect flag on socket
      /* create socket connectsockfd */

      /* bind connectsockfd  to */

     /* assign client address */
      itp.op = TPROXY_ASSIGN;
      itp.v.addr.faddr = client_addr.in.sin_addr;
      itp.v.addr.fport = 0;

      if (setsockopt(connectsockfd, SOL_IP, IP_TPROXY, &itp,
sizeof(itp)) == -1) {
        s_log(LOG_NOTICE, "error assigning foreign address: %s",
        sockerror("setsockopt(SOL_IP, IP_TPROXY, TPROXY_ASSIGN)");
        longjmp(c->err, 1);
      s_log(LOG_NOTICE, "TPROXY: assigned foreign address: %s",

      /* set connect flag on socket */
      itp.op = TPROXY_FLAGS;
      itp.v.flags = ITP_CONNECT|ITP_ONCE;
      if (setsockopt(connectsockfd, SOL_IP, IP_TPROXY, &itp,
sizeof(itp)) == -1) {
        sockerror("setsockopt(SOL_IP, IP_TPROXY, TPROXY_FLAGS)");
        longjmp(c->err, 1);

      // then connect to server as usual

** no special iptables rules need to be set, the transparent proxy
just works. **

with tproxy4, i tried the following code:

* modprobe xt_TPROXY (module nf_tproxy_core is automatically loadded)

* create listen socket listensockfd
* setsockopt(listensockfd) to make it transparent (IP_TRANSPARENT)
* bind(listensockfd) to
* listen(listensockfd) as usual

accept() as usual, then for the outbound socket:

* create socket connectsockfd
* setsockopt(connectsockfd) to make it transparent (IP_TRANSPARENT)
* bind(connectsockfd) to
* connect(connectsockfd) as usual

but the transparent proxy doesn't work. the server access.log still
shows that the connections are from

my question is:
Are those special iptables rules
must be set while using tproxy4? I really do not want my user to setup
any special iptables rules for my proxy to work as transparent.

thanks very much!

More information about the tproxy mailing list