Hello,
I attempt to take a try on tproxy in my ubuntu system, and I try to use it by netns instead of a real switch or gateway. Problem is that socket in
typroxy-example can not accept the connection pass through the bridge netns.
I set the network environment like:
main netns:
veth0:10.0.0.2/24
|
\/
sub netns0:
veth1--bridge0-veth2:
10.0.0.1/24+lo
|
\/
sub netns1:
veth3:
10.0.0.3/24 +lo
veth0-veth1 and veth2-veth3 are veth-pair.
Execute iptables rules in netns0:
Code:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -A PREROUTING -p tcp --dport 8000 -j TPROXY \
--tproxy-mark 0x1/0x1 --on-port 9876
Then start a python http server in netns1 and tproxy-example in netns0.After all, I tried to curl python http server(10.0.0.3:8000) in main netns ,expect that the request was accept by tproxy-example in netns0,but tproxy-example could not capture anything,and the curl worked without any problem.
I have tried to find if tproxy worked by pr_debug info in
xt_TPROXY.c.
And I find it loged "redirecting: proto 6 10.0.0.3:8000 -> 10.0.0.1:9876, mark: 1" which seems tproxy worked well but the socket could not accept it.
I have tried to drop all package in iptables mangle table INPUT chain, and found no impact on curl the http server, so i guess the tcp package seems go froward in routing decision.
I also have set a lot of system config in both main netns and sub netns like:
Code:
sysctl -w net.ipv4.ip_nonlocal_bind=1
sysctl -w net.ipv4.ip_forward=1
ip netns exec net0 \
sysctl -w net.ipv4.ip_nonlocal_bind=1
ip netns exec net0 \
sysctl -w net.ipv4.ip_forward=1
I will be very appreciated of any help or problem tracing in tproxy & netns.
Thank you.
