[tproxy] proxy app and server app on the same host
for-forums at mutluit.com
Sun Jan 18 00:56:57 CET 2015
TPROXY works fine if the server application is on a different host,
and if that host has the proxy host defined as its gateway.
I have this special tproxy requirement:
A transparent proxy program needs to sit between client and server program,
ie. like a MITM, and both (proxy pgm and server pgm) must be on the same host.
The host has only one physical interface (eth0).
So, I have to move the server app to the proxy host.
But then TPROXYing no more functions.
I'm sure it's a routing problem, but I couldn't find a solution yet.
I know some advanced routing (policy routing), ie. using different routine
tables and assigning rules for them etc., but if everything is on the same
host then somewhere it hangs; the SYN-ACK of the server app doesn't receive
the proxy pgm, it seems to go out to the internet.
I also tried with alias IPs, virtual subnets, and also with tap devices,
unfortunately the results so far are negative :-(
The author of haproxy writes at their web site
"We also need to ensure that we have the correct architecture for the TPROXY
trick to work. Using the normal HAProxy you can have real servers anywhere on
the internet because the source address always points back at the HAProxy
units IP address. However if the clients source IP address is going to be used
then the HAProxy server MUST BE IN THE PATH of the return traffic.
The easiest way to do this is to put the backend servers in a different subnet
to the front end clients and make sure that the default gateway points back at
the HAProxy load balancer.
NB. With clever routing this should be possible on the same subnet but I
haven’t tried that yet!
So, I'm looking for the above said "clever routing" solution.
Could someone help me please?
My environment: recent Linux kernel (3.16), Debian 8, x86_64
More information about the tproxy