[tproxy] Easiest way to install tproxy on Ubuntu 10.04 for regular laymen users

Balazs Scheidler bazsi at balabit.hu
Sat Oct 23 17:40:25 CEST 2010

On Sat, 2010-10-23 at 00:09 -0500, SM wrote:
> Yes, it is!! Awesome. From the README.txt file, I was of the opinion
> that the kernel needs to be patched and compiled.
> I have the following scenario:
>   All UDP packets coming in and going out of port 5060 need to be
> redirected to port 56789. An application running on port 56789 must
> parse them, modify them and send them to their intended destinations.
> I must take care that packets coming from remote machine to local
> machine:5060 are FIRST received at local machine:56789, and then,
> after modification, sent to local machine:5060 with a spoofed header
> suggesting that it came from remote machine.
> The incoming packets can be handled by this rule:
>      iptables -t mangle -A PREROUTING -p udp --dport 5060 -j TPROXY
> --on-port 56789  --tproxy-mark 0x1/0x1
> How should I handle the outgoing packets for 5060? Mangle table's
> OUTPUT rule does not take tproxy as a target.

in order to spoof UDP source addresses in packets towards the localhost,
you don't need a TPROXY target. you need to modify the proxy to set the
setsockopt IP_TRANSPARENT, bind the socket towards the local host to the
address of the client and then use sendto()

Also, please note that this will only work if your traffic is
unidirectional (e.g. you only send a frame and never receive one)
because the response packets generated by the local stack will not be
redirected by tproxy, thus they'll go directly to the original client.

Frames sent to the server & redirected by TPROXY:

client -> proxy -> local server

Reverse direction, frames sent by the server to the client:
local server -> client

E.g. the proxy will never receive these frames.

This is why TCP will _not_ work towards the local host. If you want
that, you need to use NAT, which reroutes traffic properly.

Also, although TPROXY is compiled into Ubuntu 10.04, but we've just
posted UDP fixes to mainline (see netfilter-devel archives). You may or
may not be affected, I just wanted to tell that there are fixes not yet
in your kernel.


More information about the tproxy mailing list