Haproxy causes '[?] is not allowed to connect' warning #16
Description
I'm currently using HAProxy to send traffic to mmproxy, which is then being sent on to a test server.
This currently works, and traffic sent to the haproxy port is correctly forwarded to the test server, and the test server gets the correct source IP.
However, the following error happens repeatedly:
[?] is not allowed to connect
(I have not censored the log - that is what it looks like.)
Here's the full mmproxy log:
njodell@proxy-testbed:~/mmproxy$ sudo ./mmproxy -l 127.0.0.1:1234 -4 127.0.0.1:8080 -6 127.0.0.1:8080 --allowed-networks allowed-networks.txt
[ ] Remember to set the reverse routing rules correctly:
iptables -t mangle -I PREROUTING -m mark --mark 123 -m comment --comment mmproxy -j CONNMARK --save-mark # [+] VERIFIED
iptables -t mangle -I OUTPUT -m connmark --mark 123 -m comment --comment mmproxy -j CONNMARK --restore-mark # [+] VERIFIED
ip6tables -t mangle -I PREROUTING -m mark --mark 123 -m comment --comment mmproxy -j CONNMARK --save-mark # [+] VERIFIED
ip6tables -t mangle -I OUTPUT -m connmark --mark 123 -m comment --comment mmproxy -j CONNMARK --restore-mark # [+] VERIFIED
ip rule add fwmark 123 lookup 100 # [+] VERIFIED
ip route add local 0.0.0.0/0 dev lo table 100 # [+] VERIFIED
ip -6 rule add fwmark 123 lookup 100 # [+] VERIFIED
ip -6 route add local ::/0 dev lo table 100 # [+] VERIFIED
[+] OK. Routing to 127.0.0.1 points to a local machine.
[+] OK. Target server 127.0.0.1:8080 is up and reachable using conventional connection.
[+] OK. Target server 127.0.0.1:8080 is up and reachable using spoofed connection.
[ ] Allowing only proxy-protocol enabled traffic from these subnets:
0.0.0.0/0
[+] Listening on 127.0.0.1:1234
[?] is not allowed to connect
[?] is not allowed to connect
[?] is not allowed to connect
[?] is not allowed to connect
[?] is not allowed to connect
[?] is not allowed to connect
^C
Reading the source code, it looks like this log message is supposed to contain the remote address of the host which is not allowed to connect:
src/main.c: printf("[?] %s is not allowed to connect\n", lstr);
I used strace to find what system calls it was making just before it failed:
njodell@proxy-testbed:~/mmproxy$ sudo strace ./mmproxy -l 127.0.0.1:1234 -4 127.0.0.1:8080 -6 [::1]:8080 --allowed-networks allowed-networks.txt
[.. snipped ..]
epoll_wait(4, [{EPOLLIN, {u32=3, u64=3}}], 128, -1) = 1
accept(3, {sa_family=AF_INET, sin_port=htons(41526), sin_addr=inet_addr("127.0.0.1")}, [32->16]) = 5
fcntl(5, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0
setsockopt(5, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
getpeername(5, 0x7fed97cbeac0, [32]) = -1 ENOTCONN (Transport endpoint is not connected)
getpeername(5, 0x7fed97cbeac0, [32]) = -1 ENOTCONN (Transport endpoint is not connected)
write(1, "[?] is not allowed to connect\n", 31[?] is not allowed to connect
) = 31
close(5) = 0
So:
- It waits for a new connection.
- A new connection is accepted on FD 5.
- It does some other stuff.
- It tries to run
getpeername()on the socket, which fails with ENOTCONN.