lör 2007-01-20 klockan 11:48 +0530 skrev Logu: > I got tproxy setup working. I have been facing problems with the test setup > as the server response directly reached the clients without going through > the proxy. I have prevented this by appropriately modifiying the static > route on the server to send the response via the proxy. Right. a TPROXY needs to be in the bidirectional packet flow. > Now I have a question how to intercept the http response if the proxy is not > on the path of the http traffic and some other device (another linux > machine) is used to intercepts it. In such case you need to use policy routing to route the traffic to the TPROXY device, in both directions. To simplify decisions a bit it's possible to use iptables CONNMARK to add a bit of state information to the different but very similar connections seen. Or if the TPROXY device is on the same LAN segment as the server then you need to route the traffic destined to the server to the TPROXY device instead, and set up routing on the server as you did above for the return traffic. Another alternative is to run the TPROXY as a proxy-arp router between the router and the server. It may also be possible to run the TPROXY server as a bridge between the server(s) and the router, but I am not 100% sure about this. In short, any method which makes the TPROXY server see all relevant traffic in both directions is fine. Personally I would recommend that the connection TPROXY <-> server is using a different path to avoid confusion about which connection is which. It can otherwise be a bit confusing to diagnose when you see two different streams with the same source/destination. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
