Help.
I thought transparent proxying would allow some means
for the recipient of the proxied connections to find
out what their original destination port and socket
address were. This does not seem to be the case. The
socket structure only has one address and one socket,
and those have the source address, not the destination
address.
How do forward connections to a given address range to
a user space program that then has the opportunity to
bidirectionally munge the data in them and forward
them on? Transparent proxying works just fine
assuming I only ever want to forward a single port to
just one other machine...
IPCHAINS isn't up to it. Before I go and upgrade to
the 2.4 kernel on production systems that ship Real
Soon Now, could somebody give me at least an opinion
on whether or not iptables and the 2.4 nat stuff can
do this kind of thing without me having to modify the
kernel to fill out a larger socket-oid structure? (Is
2.4 iptables documented anywhere yet?)
I've got everything else. If I could just get a
destination address and port out of transparently
proxied connections I'd be home free. I'm amazed this
data isn't there already, I must have missed something
stupid. How do sockets bound to multiple interfaces
figure out which interface the connection came from?
Rob
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/?.refer=text
Yeah, I found it.
While researching replacing the 2.2 kernel with 2.4 to
get my proxy-oid to work, I stumbled accross the
following section in the unofficial NAT-HOWTO (which
is not on linuxdoc's website as far as I can tell).
At this address:
http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-4.html
Under section four ("quick translation from 2.0 and
2.2 kernels"), under the heading "Hackers may also
notice:", item two in the list:
>The (undocumented) `getsockname' hack, which
>transparent proxy programs could use to find out the
>real destinations of connections no longer works.
Ah! A clue! But no idea how to make it work under
2.4, and no mention of what replaces it! (I read the
rest of the howto carefully. Never mentioned this
topic again.) But there IS a way to get it to work
under 2.2, if I can learn an undocumented (but
functional) hack.
So I jump to the contents page to see who the HOWTO
maintainer is to ask rather pointed questions. His
email address isn't listed, but I do I find out that
the netfilter mailing list is at
[email protected]. http://list.samba.org
turns out to have a page of hosted lists, with a link
that eventually leads to an archive, which is not
easily searchable except by date. Fun.
This brings us to google, which can find anything if
you just know what to ask for. I search for
"lists.samba.org netfilter getsockname". The first
hit is just that silly howto again, but the second
hit:
http://lists.samba.org/pipermail/netfilter/2000-September/005317.html
An explanation, complete with example code. From
september of last year.
And there was much rejoicing.
If I were to perhaps send linuxdoc.org a check or
something, might a day come to pass when learning to
do seemingly obvious things under linux does NOT
require fairly good forensic investigation skills? I
ask merely for information.
I need to get more caffiene now. I'm going to be up
REALLY late coding. :)
Rob
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/?.refer=text
In message <[email protected]> you write:
[ cut 50 lines ]
> If I were to perhaps send linuxdoc.org a check or
> something, might a day come to pass when learning to
> do seemingly obvious things under linux does NOT
> require fairly good forensic investigation skills? I
> ask merely for information.
And you wonder why my EMail address is not on the HOWTO? Perhaps
because there's a netfilter-devel list which can respond far more
quickly than I can...
Summary: you had to use a *search engine* to find an obscure piece of
coding information.
Shocked!
Rusty.
--
Premature optmztion is rt of all evl. --DK
--- Rusty Russell <[email protected]> wrote:
> Summary: you had to use a *search engine* to find an
> obscure piece of
> coding information.
Actually, I had to use a search engine to find a
tangentially related howto that halfway through
mentioned something in passing which gave me a clue of
something else to search for that, it turns out,
didn't work anyway. (getsockname() in 2.2 returns the
original destination ip, but not the original
destination port. I had to move to
2.4/netfilter/getsockopt to get that piece of
information.)
And the reason I didn't ask on the netfilter list is I
was originally trying to use 2.2 ipchains, not 2.4
iptables. Didn't think the old stuff was on-topic
there.
> Shocked!
> Rusty.
It still requires pretty good forensic investigation
skills to make it work...
> Premature optmztion is rt of all evl. --DK
Wouldn't that be "Premtur"? :)
Rob
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/