[tproxy] Sample/test code

Balazs Scheidler bazsi at balabit.hu
Tue May 3 20:02:33 CEST 2011


On Mon, 2011-05-02 at 19:42 +0800, 文剑 wrote:
> Hi,
> 
> I want to write a full transparency proxy too. 
> 
> Squid and haproxy are so complicated that i can't quickly understand
> how tproxy works.
> And I am new to iptables.
> If there is a sample peace of code which is simple, I think it would
> be helpful.
> 
> I wrote some code which failed at initiating connections with a
> foreign address as a source.
> The reason is timeout while attempting connection.
> Where am I wrong?
> 
> Thanks.
> 
> 
> My code:
> 
> #define NON_LOCAL_IP "192.168.111.23"
> #define NON_LOCAL_PORT 2000
> 
> int sockfd = socket(AF_INET, SOCK_STREAM, 0);
> 
> memset (&non_local_addr, 0, sizeof(non_local_addr));
> non_local_addr.sin_family = AF_INET;
> dst_addr.sin_addr.s_addr = inet_addr(NON_LOCAL_IP);
> inet_pton(AF_INET, NON_LOCAL_IP, &non_local_addr.sin_addr);
> non_local_addr.sin_port = htons(NON_LOCAL_PORT);
> 
> setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &optvalue,
> sizeof(optvalue));
> setsockopt(sockfd, SOL_IP, IP_TRANSPARENT, &optvalue,
> sizeof(optvalue));
> bind(sockfd, (struct sockaddr *)&non_local_addr,
> sizeof(non_local_addr));
> 
> memset(&dst_addr, 0, sizeof(dst_addr));
> dst_addr.sin_family = AF_INET;
> dst_addr.sin_addr.s_addr = inet_addr("192.168.1.1");
> dst_addr.sin_port = htons(80);
>                 
> connect(sockfd, (struct sockaddr *) &dst_addr, sizeof(dst_addr));  //
> ETIMEOUT

are you sure the reverse direction is routed back through your box? that
is needed for tproxy to pick up packets.

e.g. the server should route client destined packets using your box as a
gateway.

-- 
Bazsi




More information about the tproxy mailing list