[tproxy] Tproxy Iptables + ebtables Problem

Asif Bakali asifbakali at gmail.com
Tue Sep 1 11:27:55 CEST 2009


Gday

Hello one of my server FC11 x64 bit running Tproxy with combination of
iptables + ebtables rules during peek hours machine was rash with given such
as error "kernel panic " . when i replace tproxy with netfilter and remove
ebtables rules just use simple iptables with NAT rules everything was fine.
anyone faced this issue before ?  find below my configuration




Kernel =2.6.29.6-217.2.8.fc11.x86_64
O/S= FC 11 x64 Intel based
iptables= v1.4.3.1
ebtables= v2.0.9-1

firewall.conf

#!/bin/sh
IPTABLES=/sbin/iptables
EBTABLES=/sbin/ebtables
EXTDEV="eth0"
INTDEV="eth1"
SERVERIP="xxx.xxx.xxx.15"

${EBTABLES} -t broute -F
${EBTABLES} -t broute -A BROUTING -i $EXTDEV -p ipv4 --ip-protocol tcp
--ip-source-port 80 -j redirect --redirect-target DROP
${EBTABLES} -t broute -A BROUTING -i $INTDEV -p ipv4 --ip-protocol tcp
--ip-destination-port 80 -j redirect --redirect-target DROP

${IPTABLES} -F
${IPTABLES} -F -t nat
${IPTABLES} -F -t mangle
${IPTABLES} -v -t mangle -N DIVERT
${IPTABLES} -v -t mangle -A DIVERT -j MARK --set-mark 1
${IPTABLES} -v -t mangle -A DIVERT -j ACCEPT
${IPTABLES} -v -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
${IPTABLES} -v -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

${IPTABLES} -I INPUT -s $SERVERIP -i br0 -j REJECT
${IPTABLES} -A INPUT -m state --state INVALID -j DROP
${IPTABLES} -A INPUT -s xxx.xxx.xxx.0/24 -j ACCEPT
${IPTABLES} -I INPUT -i lo -j ACCEPT
${IPTABLES} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
${IPTABLES} -A INPUT -j DROP

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

sysctl -w net.ipv4.ip_nonlocal_bind=1
sysctl -w net.ipv4.ip_forward=1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20090901/d2bda690/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG0115A.jpg
Type: image/jpeg
Size: 22787 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20090901/d2bda690/attachment-0001.jpg 


More information about the tproxy mailing list