[tproxy] proxy app and server app on the same host

U.Mutlu for-forums at mutluit.com
Sun Jan 18 00:56:57 CET 2015


TPROXY works fine if the server application is on a different host,
and if that host has the proxy host defined as its gateway.

I have this special tproxy requirement:
A transparent proxy program needs to sit between client and server program,
ie. like a MITM, and both (proxy pgm and server pgm) must be on the same host.
The host has only one physical interface (eth0).

So, I have to move the server app to the proxy host.
But then TPROXYing no more functions.
I'm sure it's a routing problem, but I couldn't find a solution yet.
I know some advanced routing (policy routing), ie. using different routine 
tables and assigning rules for them etc., but if everything is on the same 
host then somewhere it hangs; the SYN-ACK of the server app doesn't receive 
the proxy pgm, it seems to go out to the internet.

I also tried with alias IPs, virtual subnets, and also with tap devices, 
unfortunately the results so far are negative :-(

The author of haproxy writes at their web site
"We also need to ensure that we have the correct architecture for the TPROXY 
trick to work. Using the normal HAProxy you can have real servers anywhere on 
the internet because the source address always points back at the HAProxy 
units IP address. However if the clients source IP address is going to be used 
then the HAProxy server MUST BE IN THE PATH of the return traffic.
The easiest way to do this is to put the backend servers in a different subnet 
to the front end clients and make sure that the default gateway points back at 
the HAProxy load balancer.
NB. With clever routing this should be possible on the same subnet but I 
haven’t tried that yet!

So, I'm looking for the above said "clever routing" solution.

Could someone help me please?

My environment: recent Linux kernel (3.16), Debian 8, x86_64


More information about the tproxy mailing list