[tproxy] TPROXY understanding for transparent proxy to Virtual Machines

Daniel Huhardeaux tech at tootai.net
Wed Oct 21 12:14:01 CEST 2009 

Hi all,

I setup a server with 2 virtual machines (kvm) using libvirt. Public 
interface is eth0, virbr1 being the VM interface with IP 10.1.70.1. My 
goal is to send external traffic smtp and http to one VM in tcp 
(10.1.70.13). The other VM (10.1.70.11) -Asterisk server- should receive 
IAX, SIP and RTP in udp. I can ping VMs from the host.

With iptables and DNAT everything is working like I want, the only 
problem is that source IP is the one from my vibr1 10.1.70.1 and not the 
origine source one. People from netfilter told me I should give a try to 
tproxy, that's what I'm trying to setup.

Context: Debian Lenny with kernel 2.6.30 and iptables 1.4.4 from 
backports. tproxy modules are loaded. Applied rules is

sudo iptables -t mangle -A PREROUTING -p tcp -d <public IP> --dport 25 
-j TPROXY --on-port 25 --on-ip 10.1.70.13 --tproxy-mark 254

The mark 254 is lookup main

0:      from all lookup local
32759:  from all to 10.1.0.0/16 lookup main
32760:  from all to 10.100.0.0/16 lookup main
32761:  from all to 10.99.4.0/16 lookup main
32762:  from all fwmark 0xca lookup isp2
32763:  from all fwmark 0xc9 lookup isp1
32764:  from 91.137.30.70 lookup isp1
32765:  from all to 0.0.0.0 lookup main
32766:  from all lookup main
32767:  from all lookup default


 From the host I can telnet port 25 of VM
$ telnet 10.1.70.13 25
Trying 10.1.70.13...
Connected to 10.1.70.13.
Escape character is '^]'.
220 xxx.xxx.xxx.xxx ESMTP Postfix (Debian/GNU)
^]
telnet> quit
Connection closed.

but I can't telnet the public IP from the host or from outside :-( A 
tshark running on the VM shows no incoming traffic, problem is on the host.

The following iptables rules are the one I use for DNAT and which are 
working:

$IPTABLES -t nat      -A PREROUTING   -p tcp  -i eth0 -d <public IP>  
--dport 25 -j DNAT --to 10.1.70.13
$IPTABLES                -A FORWARD        -p tcp  -m 
tcp                            --dport 25 -j ACCEPT

What am I missing? Can tproxy do what I want?

Thanks for any hint.

Regards

-- 
Daniel

More information about the tproxy mailing list