[tproxy] iptable_tproxy
nicolas normand
doomyster at gmail.com
Thu Feb 11 11:47:54 CET 2010
I would suggest you use:
- iptables 1.4.6: I don't remember if iptables 1.4.2 needs to be patched or not
- linux 2.6.31: yes, it has built-in tproxy. You need options
"Transparent proxying support (EXPERIMENTAL)", "TPROXY" target support
(EXPERIMENTAL) and "socket" match support (EXPERIMENTAL)
Don't use the 2.6.32, something changed about rp_filters and I
couldn't make tproxy to work with it. Maybe someone else know how to
do.
The problem was fixed on the 2.6.33 (which is not yet released), but
you'll need to set a new sysctl call: sysctl
net.ipv4.conf.lo.src_valid_mark=1
For iptables/ebtables rulez, I based my configuration on this post:
https://lists.balabit.hu/pipermail/tproxy/2010-January/001211.html
Bye,
Nicolas
2010/2/11 Alexander Dultsev <alexander.dooltsev at gmail.com>:
> hi Nicolas,
> thanks for the fast reply, and sorry about my spontaneous question - yes,
> it's about using iptables 1.4.2 with a patched Debian kernel 2.6.27-wt6
> (tproxy patch) or not patched 2.6.31 (the 2.6.31 has it in-built, am I
> correct?)
> So, 1) is iptables 1.4.2 + kernel 2.6.31 ok to go for tproxy functionality?
> 2) how would you make it working then?
> Thanks,
> Alex.
>
>
> On Thu, Feb 11, 2010 at 9:14 AM, nicolas normand <doomyster at gmail.com>
> wrote:
>>
>> I suppose you are speaking of the tproxy table. It was removed some
>> time ago (I don't remember when), now I could make tproxy to work with
>> just the mangle table, and a 2.6.31 or 2.6.33 linux kernel.
>>
>> Bye,
>> Nicolas
>>
>> 2010/2/11 Alexander Dultsev <alexander.dooltsev at gmail.com>:
>> > Hello,
>> > perhaps it's covered in some place here (if so, could you please point
>> > to
>> > the right direction) - is entry iptables_tproxy.ko missing under tproxy
>> > 4.x.x version (so things like 'iptables -F tproxy -L' cannot be called)?
>> > I
>> > can see, for instance, 'iptables_raw' etc, but not the above in my
>> > /lib/modules/... directory.
>> > Thanks,
>> > Alex.
>> > _______________________________________________
>> > tproxy mailing list
>> > tproxy at lists.balabit.hu
>> > https://lists.balabit.hu/mailman/listinfo/tproxy
>> >
>> >
>
>
More information about the tproxy
mailing list