TPROXY redirection in a bridge fails

[Rodrigo OSORIO]

Hi all,

For a few days I'm working in a piece of code
using the transparent proxy feature in a bridged
linux box (the router).

eth0 eth0-br0-eth1 eth0
+--------+ +--------+ +--------+
| |------->| Router |------->| |
| Client | | Linux | | Server |
| |<-------| Box |<-------| |
+--------+ +--------+ +--------+

The application located in the router intercepts
any connection from the client to the server and
split it in two connexions (client<->router and router->server)
transparently, letting the server and the client
believe they have a direct connexion one to each
other.

At this point I have a half-transparent proxy, the
client <-> router side is handled gracefully by my
application and the client believes he has a direct
connexion to the server. But the connexion from the
router to the server fails and returns an error 100
: "Connection timed out". Of course the router can
see the server, and if I remove the IP_TRANSPARENT
feature from the socket, using it as a regular socket,
the trick works... except the server knows the incoming
packets comes from the router.

I follow the rules explained in the kernel documentation[1]
including 'iptables' without success.

Any idea ?

regards,
Rodrigo

I'm using a linux kernel 2.6.34.7 x86
My router network cards configuration :

# ifconfig
br0 Link encap:Ethernet HWaddr 00:E0:4B:09:20:33
inet addr:172.16.17.25 Bcast:172.16.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:55674 errors:0 dropped:0 overruns:0 frame:0
TX packets:2431 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4862736 (4.6 MiB) TX bytes:552987 (540.0 KiB)

eth0 Link encap:Ethernet HWaddr 00:E0:4B:09:F9:46
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28851 errors:0 dropped:0 overruns:0 frame:0
TX packets:97665 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3422810 (3.2 MiB) TX bytes:58062801 (55.3 MiB)

eth1 Link encap:Ethernet HWaddr 00:E0:4B:09:20:33
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:99096 errors:0 dropped:0 overruns:0 frame:0
TX packets:28662 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:58393644 (55.6 MiB) TX bytes:3391290 (3.2 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

# Some flags
echo 0 > /proc/sys/net/bridge/bridge-nf-call-arptables
echo 0 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables

# The ip route options
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

[1]
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.34.y.git;a=blob;f=Documentation/networking/tproxy.txt;h=7b5996d9357e017b8f05052522255a7405bf9248;hb=HEAD