[tproxy] tproxy Digest, Vol 55, Issue 5

Luiz Biazus luiz at biazus.com
Tue Jan 12 12:27:52 CET 2010 

Hello Krisztian!

is that what i mean!

follow my full configuration:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/br0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects


cd /proc/sys/net/bridge/
for i in *
 do
echo 0 > $i
done
unset i



iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 8012
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP
    //eth0 connected to gw and eth1 internal


ip rule add dev eth0 fwmark 1 lookup 100
ip rule add dev eth1 fwmark 1 lookup 100
ip rule add dev br0 fwmark 1 lookup 100


root at cache:~# ip rule
0:         from all lookup local
32763:  from all fwmark 0x1 iif eth0 lookup 100
32764:  from all fwmark 0x1 iif eth1 lookup 100
32765:  from all fwmark 0x1 iif br0 lookup 100
32766:  from all lookup main
32767:  from all lookup default

root at thundercache:~# ip route show all
189.10.205.0/24 dev br0  proto kernel  scope link  src 189.10.205.3
default via 189.10.205.1 dev br0  metric 100



root at thundercache:~# ifconfig
br0       Link encap:Ethernet  Endereço de HW 00:06:4f:5f:b3:1e
          inet end.: 189.10.205.3  Bcast:189.10.203.255  Masc:255.255.255.0
          endereço inet6: fe80::206:4fff:fe5f:b31e/64 Escopo:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Métrica:1
          pacotes RX:2314056 erros:0 descartados:0 excesso:0 quadro:0
          Pacotes TX:686243 erros:0 descartados:0 excesso:0 portadora:0
          colisões:0 txqueuelen:0
          RX bytes:640911673 (640.9 MB) TX bytes:499301746 (499.3 MB)

eth0      Link encap:Ethernet  Endereço de HW 00:06:4f:5f:b3:1e
          endereço inet6: fe80::206:4fff:fe5f:b31e/64 Escopo:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Métrica:1
          pacotes RX:197138752 erros:0 descartados:0 excesso:0 quadro:0
          Pacotes TX:171287420 erros:0 descartados:0 excesso:0 portadora:0
          colisões:0 txqueuelen:1000
          RX bytes:1122327687 (1.1 GB) TX bytes:1558614907 (1.5 GB)
          IRQ:18

eth1      Link encap:Ethernet  Endereço de HW 00:1e:8c:d2:2e:e9
          endereço inet6: fe80::21e:8cff:fed2:2ee9/64 Escopo:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Métrica:1
          pacotes RX:171297851 erros:1 descartados:0 excesso:0 quadro:1
          Pacotes TX:197160512 erros:0 descartados:0 excesso:0 portadora:0
          colisões:0 txqueuelen:1000
          RX bytes:1561386827 (1.5 GB) TX bytes:1915548351 (1.9 GB)
          IRQ:25 Endereço de E/S:0x4000

lo        Link encap:Loopback Local
          inet end.: 127.0.0.1  Masc:255.0.0.0
          endereço inet6: ::1/128 Escopo:Máquina
          UP LOOPBACK RUNNING  MTU:16436  Métrica:1
          pacotes RX:40 erros:0 descartados:0 excesso:0 quadro:0
          Pacotes TX:40 erros:0 descartados:0 excesso:0 portadora:0
          colisões:0 txqueuelen:0
          RX bytes:3690 (3.6 KB) TX bytes:3690 (3.6 KB)



Thank you Friend!


Bst Rgds
Luiz



2010/1/12  <tproxy-request at lists.balabit.hu>:
> Send tproxy mailing list submissions to
>        tproxy at lists.balabit.hu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.balabit.hu/mailman/listinfo/tproxy
> or, via email, send a message with subject or body 'help' to
>        tproxy-request at lists.balabit.hu
>
> You can reach the person managing the list at
>        tproxy-owner at lists.balabit.hu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tproxy digest..."
>
>
> Today's Topics:
>
>   1. Re: tproxy Digest, Vol 55, Issue 4 (Luiz Biazus)
>   2. Re: tproxy Digest, Vol 55, Issue 4 (KOVACS Krisztian)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 11 Jan 2010 09:05:25 -0200
> From: Luiz Biazus <luiz at biazus.com>
> Subject: Re: [tproxy] tproxy Digest, Vol 55, Issue 4
> To: tproxy at lists.balabit.hu
> Message-ID:
>        <8ecc30771001110305l2ab305e4h757f48a39fc97d95 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> about this procedures:
>
>  ip rule add dev eth0 fwmark 1 lookup 100
>  ip rule add dev eth1 fwmark 1 lookup 100
>  ip rule add dev br0 fwmark 1 lookup 100
>
>
> It doesnt works
>
>
> Thank you  Krisztian
>
>
>
>
>
> 2010/1/11  <tproxy-request at lists.balabit.hu>:
>> Send tproxy mailing list submissions to
>> ? ? ? ?tproxy at lists.balabit.hu
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> ? ? ? ?https://lists.balabit.hu/mailman/listinfo/tproxy
>> or, via email, send a message with subject or body 'help' to
>> ? ? ? ?tproxy-request at lists.balabit.hu
>>
>> You can reach the person managing the list at
>> ? ? ? ?tproxy-owner at lists.balabit.hu
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of tproxy digest..."
>>
>>
>> Today's Topics:
>>
>> ? 1. EADDRNOTAVAIL from connect, but only sometimes (Ron Parker)
>> ? 2. Re: Correct kernel version with tproxy (KOVACS Krisztian)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Sun, 10 Jan 2010 19:46:58 -0500
>> From: Ron Parker <rparker at movik.net>
>> Subject: [tproxy] EADDRNOTAVAIL from connect, but only sometimes
>> To: "tproxy at lists.balabit.hu" <tproxy at lists.balabit.hu>
>> Message-ID:
>> ? ? ? ?<5D6AFCAC2AD9424D816711D1AF4FE8441BDE791924 at MAILR014.mail.lan>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> Hi,
>>
>> We are using the tproxy patch for Linux 2.6.24 (Ubuntu 8.0.4). ? When placing outgoing connections, we use the original socket address (4-tuple) ?in the bind and set SO_REUSEADDR on the socket. ? The sequence we are having difficulty with is:
>>
>>
>> * ? ? ? ? Client connects to transparent proxy
>>
>> * ? ? ? ? Transparent proxy connects to remote server
>>
>> * ? ? ? ? Normal data transfer...
>>
>> * ? ? ? ? Remote server closes the connection (but client connection is maintained)
>>
>> * ? ? ? ? Transparent proxy attempts to connect again to remote server using the original 4-tuple (again)
>>
>> o ? Bind succeeds
>>
>> o ? Connect fails with EADDRNOTAVAIL
>>
>> The original socket is probably in TIME_WAIT at this point. ? I thought the SO_REUSEADDR would take care of the problem. ?What am I missing here?
>>
>> Thanks.
>>
>> ? Ron
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20100110/131ed993/attachment.html
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 11 Jan 2010 09:56:14 +0100
>> From: KOVACS Krisztian <hidden at balabit.hu>
>> Subject: Re: [tproxy] Correct kernel version with tproxy
>> To: tproxy at lists.balabit.hu
>> Message-ID: <4B4AE7AE.4060601 at balabit.hu>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> Hi,
>>
>> On 01/09/2010 07:40 PM, Alexandre Correa wrote:
>>> What?s the best version of kernel for using tproxy ?
>>>
>>> 2.6.{28|29|30|31} ?
>>>
>>> seems with 2.6.32 has issues with.. true ?
>>
>> .31, I'd say. Yes, 2.6.32 has issues, you either need the workaround
>> mentioed on this mailing list a few days ago, or wait for a -stable
>> release fixing the issue (2.6.32.3 doesn't have the fix).
>>
>> Cheers,
>> Krisztian
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> tproxy mailing list
>> tproxy at lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/tproxy
>>
>>
>> End of tproxy Digest, Vol 55, Issue 4
>> *************************************
>>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 11 Jan 2010 13:06:37 +0100
> From: KOVACS Krisztian <hidden at balabit.hu>
> Subject: Re: [tproxy] tproxy Digest, Vol 55, Issue 4
> To: tproxy at lists.balabit.hu
> Message-ID: <4B4B144D.3090800 at balabit.hu>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 01/11/2010 12:05 PM, Luiz Biazus wrote:
>> about this procedures:
>>
>>   ip rule add dev eth0 fwmark 1 lookup 100
>>   ip rule add dev eth1 fwmark 1 lookup 100
>>   ip rule add dev br0 fwmark 1 lookup 100
>>
>>
>> It doesnt works
>
> You mean it doesn't work at all?
>
> Do you have /proc/sys/net/ipv4/conf/*/rp_filter enabled?
>
> Cheers,
> Krisztian
>
>
> ------------------------------
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>
>
> End of tproxy Digest, Vol 55, Issue 5
> *************************************
>

More information about the tproxy mailing list