lör 2007-01-20 klockan 11:48 +0530 skrev Logu:
> I got tproxy setup working. I have been facing problems with the test setup
> as the server response directly reached the clients without going through
> the proxy. I have prevented this by appropriately modifiying the static
> route on the server to send the response via the proxy.
Right. a TPROXY needs to be in the bidirectional packet flow.
> Now I have a question how to intercept the http response if the proxy is not
> on the path of the http traffic and some other device (another linux
> machine) is used to intercepts it.
In such case you need to use policy routing to route the traffic to the
TPROXY device, in both directions. To simplify decisions a bit it's
possible to use iptables CONNMARK to add a bit of state information to
the different but very similar connections seen.
Or if the TPROXY device is on the same LAN segment as the server then
you need to route the traffic destined to the server to the TPROXY
device instead, and set up routing on the server as you did above for
the return traffic.
Another alternative is to run the TPROXY as a proxy-arp router between
the router and the server.
It may also be possible to run the TPROXY server as a bridge between the
server(s) and the router, but I am not 100% sure about this.
In short, any method which makes the TPROXY server see all relevant
traffic in both directions is fine.
Personally I would recommend that the connection TPROXY <-> server is
using a different path to avoid confusion about which connection is
which. It can otherwise be a bit confusing to diagnose when you see two
different streams with the same source/destination.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST