On Thu, Mar 28, 2002 at 04:02:46PM +0100, Henrik Nordstrom wrote: > Balazs Scheidler wrote: > > > > Where is the "possible transparent proxy entries" defined? Internally in > > > TPROXY, or in the host IP stack socket table? > > > > in TPROXY. > > > > > I guess this would be the rule table telling what should be diverted by > > > TPROXY, which from my understanding would be your iptables ruleset... > > > > No. I have > > You have what? Seems to be part of the message missing here..??
Yes, sorry. There's a translation table in TPROXY independent from the tproxy iptables table. The rules are in the iptables table called 'tproxy', and contains one transparent proxy rule for each service needed. As a connection is established, a new entry is added to the translation table with: remote addr/remote port, original dest/original port, local dest/local port. Then both the prerouting and the local output hooks perform translation of the packet flow according to the translation table. In a sence this table is similar to the conntrack tables, with the exception that the primary focus is to assign packet endpoints with local sockets, identified by their own IP/port pair. Thus the connection between a redirected session and a local socket is not the socket layer, but this translation table, therefore no packet with foreign IP address enter the networking core. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1