[tproxy] Tproxy Issue :: For React Message

Chinmay Mahata chinmay_mahata at rediffmail.com
Wed Apr 3 17:42:17 CEST 2013

Hi All,

    I am new to this group and hope I have posted my (big)problem in the right place.

    I am doing some test in my network using tproxy and a scanner process in a server (bridged/inline) machine.
The packet like http requests from my LAN side, goes to tproxy process and then pass through a scanner process and finally send out to the internet.

LAN ( <-----> Tprox-Server (bridge - <-----> ( <------> Internet

                |  +--------+        +-----------+  |
 LAN -------+  |tproxy|<------>|scanner|  +------ WAN
          eth0|  +--------+        +----------+   |eth1

    iface ETH1 with no ip configured (connected in a gw ip
    iface ETH0 with no ip configured(all the clients behind this interface
    br0 with ip adress with ports ETH0(lan) and ETH1(wan).

I have this test platform:
    Fedora 13 (Linux)
    iptables 1.4.7
    tproxy process running on port 8080

Used proc interface for setting following:
    echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter

iptables/ebtables rules:
    iptables -t mangle -N DIVERT
    iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01
    iptables -t mangle -A DIVERT -j ACCEPT
    iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 --m socket -j DIVERT
    iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8080 --on-ip

    ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
    ebtables -t broute -A BROUTING -i ! eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP

Policy routing:
    ip rule add fwmark 1 lookup 1
    ip route add local dev lo table 1

Till here everything is working fine. I can access the Internet trough the tproxy and scanner process.

BUT --

In the scanner process I have reaction mechanism, if the scanner finds something bad in the packet it sends back a customized response/reaction to the client/browser and drop the packet (by hijacking the session). This scanner snips the packets in the OUTPUT chain of filter table.
    With this tproxy configuration/setting, it seems the reacting method is not working. The client bowser keeps on waiting for the response without success, and finally gives server down kind of message in the browser window.

    Using iptables trace, it seems that the scanner directly sends the react message to the client browser (the message is seen in OUTPUT and POSTROUTING chain), but since the sequence and acknowledge numbers do match the browser drops the react message. (The react message should go to tproxy from the scanner, then from tproxy to the client browser).

Then I used follwoing iptables rules so that the react packet is send back to the tproxy from OUTPUT chain.
    iptables -t mangle -A OUTPUT -d -p tcp -m tcp --sport 80 --m owner --uid-owner scan -j DIVERT
    (where the scannner module is running under user scan)
But now it seems that the packet is getting dropped after OUTPUT chain, I can not trace the packet in INPUT chain, not even in POSTROUTING chain. I think the packet is getting dropped somewhere in the routing subsystem (policy routing).

Please help me how to overcome the problem. Also please let me know if you need any more information.

Best regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20130403/3011c0c9/attachment.htm 

More information about the tproxy mailing list