[tproxy] Tproxy Issue :: For React Message
Chinmay Mahata
chinmay_mahata at rediffmail.com
Wed Apr 3 17:42:17 CEST 2013
Hi All,
I am new to this group and hope I have posted my (big)problem in the right place.
I am doing some test in my network using tproxy and a scanner process in a server (bridged/inline) machine.
The packet like http requests from my LAN side, goes to tproxy process and then pass through a scanner process and finally send out to the internet.
Topology:
LAN (192.168.11.0/24) <-----> Tprox-Server (bridge - 192.168.11.231) <-----> (192.168.11.1)router <------> Internet
+-------------------------------------+
| +--------+ +-----------+ |
LAN -------+ |tproxy|<------>|scanner| +------ WAN
eth0| +--------+ +----------+ |eth1
+-------------------------------------+
Tprox-sever
iface ETH1 with no ip configured (connected in a gw ip 192.168.11.1)
iface ETH0 with no ip configured(all the clients behind this interface 192.168.11.0/24)
br0 with ip adress 192.168.11.231 with ports ETH0(lan) and ETH1(wan).
I have this test platform:
Fedora 13 (Linux)
kernel 2.6.34.9
iptables 1.4.7
tproxy process running on port 8080
Used proc interface for setting following:
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
iptables/ebtables rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 --m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8080 --on-ip 0.0.0.0
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i ! eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP
Policy routing:
ip rule add fwmark 1 lookup 1
ip route add local 0.0.0.0/0 dev lo table 1
Till here everything is working fine. I can access the Internet trough the tproxy and scanner process.
BUT --
In the scanner process I have reaction mechanism, if the scanner finds something bad in the packet it sends back a customized response/reaction to the client/browser and drop the packet (by hijacking the session). This scanner snips the packets in the OUTPUT chain of filter table.
With this tproxy configuration/setting, it seems the reacting method is not working. The client bowser keeps on waiting for the response without success, and finally gives server down kind of message in the browser window.
Using iptables trace, it seems that the scanner directly sends the react message to the client browser (the message is seen in OUTPUT and POSTROUTING chain), but since the sequence and acknowledge numbers do match the browser drops the react message. (The react message should go to tproxy from the scanner, then from tproxy to the client browser).
Then I used follwoing iptables rules so that the react packet is send back to the tproxy from OUTPUT chain.
iptables -t mangle -A OUTPUT -d 192.168.11.0/24 -p tcp -m tcp --sport 80 --m owner --uid-owner scan -j DIVERT
(where the scannner module is running under user scan)
But now it seems that the packet is getting dropped after OUTPUT chain, I can not trace the packet in INPUT chain, not even in POSTROUTING chain. I think the packet is getting dropped somewhere in the routing subsystem (policy routing).
Please help me how to overcome the problem. Also please let me know if you need any more information.
Best regards,
--Chinmay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20130403/3011c0c9/attachment.htm
More information about the tproxy
mailing list