REDIRECT problem: dest. port seems to be mangled

John Saunders john@nlc.net.au
Thu, 9 Aug 2001 09:21:21 +1000 (EST) 

Transproxy uses the following code to determine the original destination
(both IP address and port) of the TCP connection.

  if (getsockopt(sock, SOL_IP, SO_ORIGINAL_DST,
      (char *)&conn.dest_addr, &length) < 0)

If this call does not fill in the port field with port 80 (the original
destination) then you will get the problem you describe. I have no idea
what IP tables is supposed to do, although taken at face value you would
expect this socket operation to return the original destination. The code
for IP tables was contributed as I don't run a 2.4 kernel myself.

Regards.

On Wed, 8 Aug 2001, Stephane Bortzmeyer wrote:

> I have the following rule:
> 
> iptables -t nat -A TRANSPARENT_PROXY -i $ETHERNET -p tcp -j  REDIRECT --to-port 3128
        
> 
> (We jump to TRANSPARENT_PROXY from PREROUTING.)
> 
> Traffic is redirected but the proxy which listens on port 3128
> (transproxy) see the packet coming to port 3128, not to port 80. Since
> transproxy rewrites URL when the port is not the default HTTP port, we
> end with wrong URLs http://www.foo.bar:3128/. Is it a bug in iptables
> or, if this is the intended behaviour, how can I change it?
> 
> Relevant piece of code in tproxy.c:
> 
>                                 if ((ntohs(conn->dest_addr.sin_port) != 80) &&
> #ifdef USE_STRSTR_BUG
>                                     (strstr(conn->host_header, ":") == NULL))
> #else
>                                     (strchr(conn->host_header, ':') == NULL))
> #endif
>                                 {
>                                         sprintf(request_port, ":%u", ntohs(conn->dest_\
> addr.sin_port));
>                                         memcpy(&request_buffer[send_size], request_por\
> t, strlen(request_port));
>                                         send_size += strlen(request_port);
>                                         conn->url_end_offset += strlen(request_port);
>                                 }
> 
> 
> Linux kernel 2.4.7, iptables v1.2.2.
> 

--            +------------------------------------------------------------+
        .     | John Saunders  - mailto:john@nlc.net.au            (EMail) |
    ,--_|\    |                - http://www.nlc.net.au/              (WWW) |
   /  Oz  \   |                - 1300-720-122 or 04-1822-3814      (Phone) |
   \_,--\_/   | NORTHLINK COMMUNICATIONS P/L - Supplying a professional,   |
         v    | and above all friendly, internet connection service.       |
              +------------------------------------------------------------+