[tproxy] tproxy Digest, Vol 55, Issue 6
Luiz Biazus
luiz at biazus.com
Wed Jan 13 12:07:23 CET 2010
my first configuration was with all disabled :
> echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
i enable it to make the test that u said!
so doesn't work :-(
Thank you friend
Luiz
2010/1/13 <tproxy-request at lists.balabit.hu>:
> Send tproxy mailing list submissions to
> tproxy at lists.balabit.hu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.balabit.hu/mailman/listinfo/tproxy
> or, via email, send a message with subject or body 'help' to
> tproxy-request at lists.balabit.hu
>
> You can reach the person managing the list at
> tproxy-owner at lists.balabit.hu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tproxy digest..."
>
>
> Today's Topics:
>
> 1. Re: tproxy Digest, Vol 55, Issue 5 (Luiz Biazus)
> 2. Re: tproxy Digest, Vol 55, Issue 5 (KOVACS Krisztian)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 12 Jan 2010 09:27:52 -0200
> From: Luiz Biazus <luiz at biazus.com>
> Subject: Re: [tproxy] tproxy Digest, Vol 55, Issue 5
> To: tproxy at lists.balabit.hu
> Message-ID:
> <8ecc30771001120327t20156525nae58961884b9ea8a at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello Krisztian!
>
> is that what i mean!
>
> follow my full configuration:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
> echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
> echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
> echo 1 > /proc/sys/net/ipv4/conf/br0/rp_filter
> echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter
> echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
> echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
>
>
> cd /proc/sys/net/bridge/
> for i in *
> do
> echo 0 > $i
> done
> unset i
>
>
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 8012
> ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp
> --ip-dport 80 -j redirect --redirect-target DROP
> ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp
> --ip-sport 80 -j redirect --redirect-target DROP
> //eth0 connected to gw and eth1 internal
>
>
> ip rule add dev eth0 fwmark 1 lookup 100
> ip rule add dev eth1 fwmark 1 lookup 100
> ip rule add dev br0 fwmark 1 lookup 100
>
>
> root at cache:~# ip rule
> 0: from all lookup local
> 32763: from all fwmark 0x1 iif eth0 lookup 100
> 32764: from all fwmark 0x1 iif eth1 lookup 100
> 32765: from all fwmark 0x1 iif br0 lookup 100
> 32766: from all lookup main
> 32767: from all lookup default
>
> root at thundercache:~# ip route show all
> 189.10.205.0/24 dev br0 proto kernel scope link src 189.10.205.3
> default via 189.10.205.1 dev br0 metric 100
>
>
>
> root at thundercache:~# ifconfig
> br0 Link encap:Ethernet Endere??o de HW 00:06:4f:5f:b3:1e
> inet end.: 189.10.205.3 Bcast:189.10.203.255 Masc:255.255.255.0
> endere??o inet6: fe80::206:4fff:fe5f:b31e/64 Escopo:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 M??trica:1
> pacotes RX:2314056 erros:0 descartados:0 excesso:0 quadro:0
> Pacotes TX:686243 erros:0 descartados:0 excesso:0 portadora:0
> colis??es:0 txqueuelen:0
> RX bytes:640911673 (640.9 MB) TX bytes:499301746 (499.3 MB)
>
> eth0 Link encap:Ethernet Endere??o de HW 00:06:4f:5f:b3:1e
> endere??o inet6: fe80::206:4fff:fe5f:b31e/64 Escopo:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 M??trica:1
> pacotes RX:197138752 erros:0 descartados:0 excesso:0 quadro:0
> Pacotes TX:171287420 erros:0 descartados:0 excesso:0 portadora:0
> colis??es:0 txqueuelen:1000
> RX bytes:1122327687 (1.1 GB) TX bytes:1558614907 (1.5 GB)
> IRQ:18
>
> eth1 Link encap:Ethernet Endere??o de HW 00:1e:8c:d2:2e:e9
> endere??o inet6: fe80::21e:8cff:fed2:2ee9/64 Escopo:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 M??trica:1
> pacotes RX:171297851 erros:1 descartados:0 excesso:0 quadro:1
> Pacotes TX:197160512 erros:0 descartados:0 excesso:0 portadora:0
> colis??es:0 txqueuelen:1000
> RX bytes:1561386827 (1.5 GB) TX bytes:1915548351 (1.9 GB)
> IRQ:25 Endere??o de E/S:0x4000
>
> lo Link encap:Loopback Local
> inet end.: 127.0.0.1 Masc:255.0.0.0
> endere??o inet6: ::1/128 Escopo:M??quina
> UP LOOPBACK RUNNING MTU:16436 M??trica:1
> pacotes RX:40 erros:0 descartados:0 excesso:0 quadro:0
> Pacotes TX:40 erros:0 descartados:0 excesso:0 portadora:0
> colis??es:0 txqueuelen:0
> RX bytes:3690 (3.6 KB) TX bytes:3690 (3.6 KB)
>
>
>
> Thank you Friend!
>
>
> Bst Rgds
> Luiz
>
>
>
> 2010/1/12 <tproxy-request at lists.balabit.hu>:
>> Send tproxy mailing list submissions to
>> ? ? ? ?tproxy at lists.balabit.hu
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> ? ? ? ?https://lists.balabit.hu/mailman/listinfo/tproxy
>> or, via email, send a message with subject or body 'help' to
>> ? ? ? ?tproxy-request at lists.balabit.hu
>>
>> You can reach the person managing the list at
>> ? ? ? ?tproxy-owner at lists.balabit.hu
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of tproxy digest..."
>>
>>
>> Today's Topics:
>>
>> ? 1. Re: tproxy Digest, Vol 55, Issue 4 (Luiz Biazus)
>> ? 2. Re: tproxy Digest, Vol 55, Issue 4 (KOVACS Krisztian)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Mon, 11 Jan 2010 09:05:25 -0200
>> From: Luiz Biazus <luiz at biazus.com>
>> Subject: Re: [tproxy] tproxy Digest, Vol 55, Issue 4
>> To: tproxy at lists.balabit.hu
>> Message-ID:
>> ? ? ? ?<8ecc30771001110305l2ab305e4h757f48a39fc97d95 at mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> about this procedures:
>>
>> ?ip rule add dev eth0 fwmark 1 lookup 100
>> ?ip rule add dev eth1 fwmark 1 lookup 100
>> ?ip rule add dev br0 fwmark 1 lookup 100
>>
>>
>> It doesnt works
>>
>>
>> Thank you ?Krisztian
>>
>>
>>
>>
>>
>> 2010/1/11 ?<tproxy-request at lists.balabit.hu>:
>>> Send tproxy mailing list submissions to
>>> ? ? ? ?tproxy at lists.balabit.hu
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>> ? ? ? ?https://lists.balabit.hu/mailman/listinfo/tproxy
>>> or, via email, send a message with subject or body 'help' to
>>> ? ? ? ?tproxy-request at lists.balabit.hu
>>>
>>> You can reach the person managing the list at
>>> ? ? ? ?tproxy-owner at lists.balabit.hu
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of tproxy digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>> ? 1. EADDRNOTAVAIL from connect, but only sometimes (Ron Parker)
>>> ? 2. Re: Correct kernel version with tproxy (KOVACS Krisztian)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Sun, 10 Jan 2010 19:46:58 -0500
>>> From: Ron Parker <rparker at movik.net>
>>> Subject: [tproxy] EADDRNOTAVAIL from connect, but only sometimes
>>> To: "tproxy at lists.balabit.hu" <tproxy at lists.balabit.hu>
>>> Message-ID:
>>> ? ? ? ?<5D6AFCAC2AD9424D816711D1AF4FE8441BDE791924 at MAILR014.mail.lan>
>>> Content-Type: text/plain; charset="us-ascii"
>>>
>>> Hi,
>>>
>>> We are using the tproxy patch for Linux 2.6.24 (Ubuntu 8.0.4). ? When placing outgoing connections, we use the original socket address (4-tuple) ?in the bind and set SO_REUSEADDR on the socket. ? The sequence we are having difficulty with is:
>>>
>>>
>>> * ? ? ? ? Client connects to transparent proxy
>>>
>>> * ? ? ? ? Transparent proxy connects to remote server
>>>
>>> * ? ? ? ? Normal data transfer...
>>>
>>> * ? ? ? ? Remote server closes the connection (but client connection is maintained)
>>>
>>> * ? ? ? ? Transparent proxy attempts to connect again to remote server using the original 4-tuple (again)
>>>
>>> o ? Bind succeeds
>>>
>>> o ? Connect fails with EADDRNOTAVAIL
>>>
>>> The original socket is probably in TIME_WAIT at this point. ? I thought the SO_REUSEADDR would take care of the problem. ?What am I missing here?
>>>
>>> Thanks.
>>>
>>> ? Ron
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20100110/131ed993/attachment.html
>>>
>>> ------------------------------
>>>
>>> Message: 2
>>> Date: Mon, 11 Jan 2010 09:56:14 +0100
>>> From: KOVACS Krisztian <hidden at balabit.hu>
>>> Subject: Re: [tproxy] Correct kernel version with tproxy
>>> To: tproxy at lists.balabit.hu
>>> Message-ID: <4B4AE7AE.4060601 at balabit.hu>
>>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>
>>> Hi,
>>>
>>> On 01/09/2010 07:40 PM, Alexandre Correa wrote:
>>>> What?s the best version of kernel for using tproxy ?
>>>>
>>>> 2.6.{28|29|30|31} ?
>>>>
>>>> seems with 2.6.32 has issues with.. true ?
>>>
>>> .31, I'd say. Yes, 2.6.32 has issues, you either need the workaround
>>> mentioed on this mailing list a few days ago, or wait for a -stable
>>> release fixing the issue (2.6.32.3 doesn't have the fix).
>>>
>>> Cheers,
>>> Krisztian
>>>
>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> tproxy mailing list
>>> tproxy at lists.balabit.hu
>>> https://lists.balabit.hu/mailman/listinfo/tproxy
>>>
>>>
>>> End of tproxy Digest, Vol 55, Issue 4
>>> *************************************
>>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 11 Jan 2010 13:06:37 +0100
>> From: KOVACS Krisztian <hidden at balabit.hu>
>> Subject: Re: [tproxy] tproxy Digest, Vol 55, Issue 4
>> To: tproxy at lists.balabit.hu
>> Message-ID: <4B4B144D.3090800 at balabit.hu>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> On 01/11/2010 12:05 PM, Luiz Biazus wrote:
>>> about this procedures:
>>>
>>> ? ip rule add dev eth0 fwmark 1 lookup 100
>>> ? ip rule add dev eth1 fwmark 1 lookup 100
>>> ? ip rule add dev br0 fwmark 1 lookup 100
>>>
>>>
>>> It doesnt works
>>
>> You mean it doesn't work at all?
>>
>> Do you have /proc/sys/net/ipv4/conf/*/rp_filter enabled?
>>
>> Cheers,
>> Krisztian
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> tproxy mailing list
>> tproxy at lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/tproxy
>>
>>
>> End of tproxy Digest, Vol 55, Issue 5
>> *************************************
>>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 12 Jan 2010 13:41:32 +0100
> From: KOVACS Krisztian <hidden at balabit.hu>
> Subject: Re: [tproxy] tproxy Digest, Vol 55, Issue 5
> To: tproxy at lists.balabit.hu
> Message-ID: <4B4C6DFC.5060303 at balabit.hu>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi,
>
> On 01/12/2010 12:27 PM, Luiz Biazus wrote:
>> Hello Krisztian!
>>
>> is that what i mean!
>>
>> follow my full configuration:
>>
>> echo 1> /proc/sys/net/ipv4/ip_forward
>> echo 1> /proc/sys/net/ipv4/ip_nonlocal_bind
>> echo 1> /proc/sys/net/ipv4/conf/eth0/rp_filter
>> echo 1> /proc/sys/net/ipv4/conf/eth1/rp_filter
>> echo 1> /proc/sys/net/ipv4/conf/br0/rp_filter
>> echo 1> /proc/sys/net/ipv4/conf/lo/rp_filter
>> echo 1> /proc/sys/net/ipv4/conf/all/forwarding
>> echo 1> /proc/sys/net/ipv4/conf/all/send_redirects
>
> You should try and disable rp_filter -- I think that won't out-of-the
> box with the routing rules you have.
>
> echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>
> Cheers,
> Krisztian
>
>
> ------------------------------
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>
>
> End of tproxy Digest, Vol 55, Issue 6
> *************************************
>
More information about the tproxy
mailing list