[tproxy] TPROXY4 and TPROXY2

Zhuang Yuyao mlistz at gmail.com
Wed Oct 21 07:52:21 CEST 2009 

Hi,

I am writing a proxy program using tproxy features to provide
transparent proxy on linux platform. the previous version of the proxy
is running on kernel 2.6.17 + tproxy2, the new version is running on
kernel 2.6.28 + tproxy4.

the simple net topo looks like this:
192.168.0.1(client) -> 192.168.0.2:80(eth0)-192.168.10.1(eth1) ->
192.168.10.1(server running apache2)

with tproxy2, all i have to do is to add the following code:

* modprobe iptable_tproxy
* modprobe ipt_tproxy

1) accept client connection
2) determine which address to bind. in the case above, it is 192.168.10.1
3) assign client address and set connect flag on socket
      /* create socket connectsockfd */
      ....

      /* bind connectsockfd  to 192.168.10.1 */
     ....

     /* assign client address */
      itp.op = TPROXY_ASSIGN;
      itp.v.addr.faddr = client_addr.in.sin_addr;
      itp.v.addr.fport = 0;

      if (setsockopt(connectsockfd, SOL_IP, IP_TPROXY, &itp,
sizeof(itp)) == -1) {
        s_log(LOG_NOTICE, "error assigning foreign address: %s",
inet_ntoa(client_addr.in.sin_addr));
        sockerror("setsockopt(SOL_IP, IP_TPROXY, TPROXY_ASSIGN)");
        longjmp(c->err, 1);
      }
      s_log(LOG_NOTICE, "TPROXY: assigned foreign address: %s",
inet_ntoa(client_addr.in.sin_addr));

      /* set connect flag on socket */
      itp.op = TPROXY_FLAGS;
      itp.v.flags = ITP_CONNECT|ITP_ONCE;
      if (setsockopt(connectsockfd, SOL_IP, IP_TPROXY, &itp,
sizeof(itp)) == -1) {
        sockerror("setsockopt(SOL_IP, IP_TPROXY, TPROXY_FLAGS)");
        longjmp(c->err, 1);
      }

      // then connect to server as usual

** no special iptables rules need to be set, the transparent proxy
just works. **

with tproxy4, i tried the following code:

* modprobe xt_TPROXY (module nf_tproxy_core is automatically loadded)

* create listen socket listensockfd
* setsockopt(listensockfd) to make it transparent (IP_TRANSPARENT)
* bind(listensockfd) to 192.168.0.2:80
* listen(listensockfd) as usual

accept() as usual, then for the outbound socket:

* create socket connectsockfd
* setsockopt(connectsockfd) to make it transparent (IP_TRANSPARENT)
* bind(connectsockfd) to 192.168.10.1:0
* connect(connectsockfd) as usual

but the transparent proxy doesn't work. the server access.log still
shows that the connections are from 192.168.10.1.

my question is:
Are those special iptables rules
(http://wiki.squid-cache.org/Features/Tproxy4#iptables_1.4.3_Configuration)
must be set while using tproxy4? I really do not want my user to setup
any special iptables rules for my proxy to work as transparent.

thanks very much!

More information about the tproxy mailing list