[tproxy] TPROXY understanding for transparent proxy to Virtual Machines
tech at tootai.net
Wed Oct 21 12:14:01 CEST 2009
I setup a server with 2 virtual machines (kvm) using libvirt. Public
interface is eth0, virbr1 being the VM interface with IP 10.1.70.1. My
goal is to send external traffic smtp and http to one VM in tcp
(10.1.70.13). The other VM (10.1.70.11) -Asterisk server- should receive
IAX, SIP and RTP in udp. I can ping VMs from the host.
With iptables and DNAT everything is working like I want, the only
problem is that source IP is the one from my vibr1 10.1.70.1 and not the
origine source one. People from netfilter told me I should give a try to
tproxy, that's what I'm trying to setup.
Context: Debian Lenny with kernel 2.6.30 and iptables 1.4.4 from
backports. tproxy modules are loaded. Applied rules is
sudo iptables -t mangle -A PREROUTING -p tcp -d <public IP> --dport 25
-j TPROXY --on-port 25 --on-ip 10.1.70.13 --tproxy-mark 254
The mark 254 is lookup main
0: from all lookup local
32759: from all to 10.1.0.0/16 lookup main
32760: from all to 10.100.0.0/16 lookup main
32761: from all to 10.99.4.0/16 lookup main
32762: from all fwmark 0xca lookup isp2
32763: from all fwmark 0xc9 lookup isp1
32764: from 220.127.116.11 lookup isp1
32765: from all to 0.0.0.0 lookup main
32766: from all lookup main
32767: from all lookup default
From the host I can telnet port 25 of VM
$ telnet 10.1.70.13 25
Connected to 10.1.70.13.
Escape character is '^]'.
220 xxx.xxx.xxx.xxx ESMTP Postfix (Debian/GNU)
but I can't telnet the public IP from the host or from outside :-( A
tshark running on the VM shows no incoming traffic, problem is on the host.
The following iptables rules are the one I use for DNAT and which are
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d <public IP>
--dport 25 -j DNAT --to 10.1.70.13
$IPTABLES -A FORWARD -p tcp -m
tcp --dport 25 -j ACCEPT
What am I missing? Can tproxy do what I want?
Thanks for any hint.
More information about the tproxy