Thanks for reply.. but no luck.. this is very frustrating .. im starting to thinking is something with mikrotik anyone knows how i look where syn/ack is getting dropped? i can i see is that syn/ack arrives from server but cannot reach client in the mikotik router.. if you have a Thread you better stick to it. my tproxy setup on ubunutu 11.10 amd64 i'm using one script to start the tproxy services on this machine. i have seen things about the ebtables should be on DROP but the only way i could make it work was to accept the connections with EBTABLES. as i remember you might need to add a "ACCEPT" rules before the "DROP" ones in the ebtables. this script is from couple of month ago but it worked perfectly. hope it will help you. #!/bin/sh -x #turning iptables modules on modprobe ip_tables modprobe iptable_filter modprobe iptable_mangle modprobe xt_mark modprobe xt_socket modprobe nf_tproxy_core modprobe xt_TPROXY modprobe xt_tcpudp modprobe nf_conntrack modprobe nf_conntrack_ipv4 #building bridge ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 pkill dhc ifconfig eth0 up ifconfig eth1 up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig br0 192.168.10.119 #adding route for bridge route add default gw 192.168.10.201 # echo "nameserver 192.168.10.201">/etc/resolv.conf #tproxy settings ip route flush table 100 ip rule del fwmark 1 lookup 100 ip rule add fwmark 1 lookup 100 ip -f inet route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -F iptables -t mangle -X DIVERT iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ##!/bin/sh CLIENT_IFACE="eth1" INET_IFACE="eth0" ebtables -t broute -F ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target ACCEPT ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target ACCEPT ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i #Changes in /etc/sysctl.conf \ sysctl sysctl net.ipv4.ip_forward=1 sysctl net.netfilter.nf_conntrack_acct=1 sysctl net.ipv4.conf.lo.rp_filter=0
