Preconditions for TPROXY within ip6tables
Shadow Hawkins on Thursday, 25 April 2013 09:49:50
Hi all,
I try to use TPROXY to forward a port to another, but it is simly not working.
If all ip6tables chains are empty (I know, it's a security risk, it's only for testing on private network), and I make the following:
ip6tables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j TPROXY --on-port 8080
I assume accessing port 80 will be forwarded to an application listening to port 8080, but there is no traffic.
I've done:
- modprobe xt_TPROXY
- echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
- tried in new Debian Wheezy and in Ubuntu 12.04 LTS
What id I forgot?
Thanks
Achim
Preconditions for TPROXY within ip6tables
Shadow Hawkins on Monday, 29 April 2013 20:22:04
I don't know exactly what you are trying, but do note that TPROXY is not the same as REDIRECT
in short: The application on port 8080 must understand tproxy. see http://www.mjmwired.net/kernel/Documentation/networking/tproxy.txt
the nice thing about tproxy is that for both sites the ip/port combinations do not change. (If you use squid with tproxy, you will see the public ipv6 address of the client in the logs of the webserver)
If all that you want to do is running some application as unprivileged user listening on port 80, you can also grant your application to bind on ports < 1024
sudo setcap cap_net_bind_service+ep /path/to/your/app
then, your "/path/to/your/app" will be allowed to bind on ports lower than 80, even if you do not run it as root.
Preconditions for TPROXY within ip6tables
Shadow Hawkins on Monday, 29 April 2013 20:27:33
Of corse I mean ports lower than 1024.
See also man capabilities for other possible options
Posting is only allowed when you are logged in. |