Compile a (CentOS) Kernel And IPTables With TPROXY Support

Mattias Geniar, Wednesday, September 1, 2010 - last modified: Wednesday, July 25, 2012

A default (CentOS) kernel doesn't have TPROXY support, which is needed if you want to it to behave as a transparant proxy. This is useful if you have a cluster set-up with one or more loadbalancers, but you still want each underlying node to see the original source IP from the request.

Without transparant proxy (TPROXY), all request would appear to come from the load balancer's IP address, instead of the actual client (which can mess up your logging, scripts, ...).

This article is derived from the "How To Compile a Kernel -- The CentOS way" pages at, and the guides at

We will assume you have a running CentOS at this point (version 5.5 or later). First up, download the kernel source. Since the TPROXY patch isn't compatible with all Kernel versions, we're stuck with the 2.6.25 kernel. Please browse the Kernel Source Index, and pick the latest linux-2.6.25.* kernel work from. (if the version is no longer available for download, here's a local copy).

cd /usr/src

Now, unpack the source code, and symlink the resulting directory to 'linux' (will make things easier later on).

tar xzf linux-
ln -s linux- linux

Next step is to download the TPROXY patch. (if the version is no longer available for download, here's a local copy)

tar xjf tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2

Now to apply the patch mentioned.

cd linux/
cat ../tproxy-2.6.25-20080519/00* | patch -p1 --dry-run
cat ../tproxy-2.6.25-20080519/00* | patch -p1

To start compiling the kernel, we'll first clean any leftovers that may exist.

make clean && make mrproper

And copy our current Kernel configuration to our local .config file. This will help in making sure our currently installed applications will continue working, and we don't modify the kernel too heavily.

cp /boot/config-`uname -r` ./.config

Make sure you have all the necessary developer-tools, to compile the kernel.

yum install make rpm-build gcc gcc-c++ ncurses-devel elfutils elfutils-libs libstdc++-devel

Let's pop up the kernel configuration menu, which will allow us to easily change configs.

make menuconfig

Since we saved our currently running Kernel's configuration in the .config file, we will choose the "Load an alternative Configuration File" option, and enter .config as the filename.

menuconfig: load config

Let's enable TPROXY support. Navigate in the menu to

  • Networking
  • > Networking support
  • > Networking options
  • > Network packet filtering framework (Netfilter)
  • > Core Netfilter Configuration

and highlight:

Transparent proxying support (EXPERIMENTAL)
Netfilter Xtables support (required for ip_tables)
Netfilter Connection tracking
> Connection tracking flow accounting
> Connection mark tracking support
"TPROXY" target support (EXPERIMENTAL)
"socket" match support (EXPERIMENTAL)

Beware that you can check these options in 2 ways:

[*]: Built-in
[M]: Module

Try to select the options listed above as [M], so they are modules.

Then hit <ESC><ESC> a few times, to get back to the main menu, and navigate to General Setup > () Local version -- append to kernel release. Add a custom suffix there, to identify this kernel. I've choosen "-tproxy" as suffix (so I know it has tproxy support). It's important you add a version number if you try to reinstall the kernel again afterwards, or you'll end up with "this package is already installed" messages.

Once you've applied the above changes, exit the menu and confirm you want to save your changes.

Now start compiling the source and create the RPM install file.

make rpm

This _will_ take a long time. If you're running this inside a virtual machine, consider adding more (virtual) CPU's to speed up this process. It's safe to assume this will run for at least 1 hour, probably more.

After it's been created, you will find the resulting Source RPM file in /usr/src/redhat/SRPMS/. linux $ ls -al /usr/src/redhat/SRPMS/
total 62124
drwxr-xr-x 2 root root     4096 Aug 21 17:31 .
drwxr-xr-x 7 root root     4096 Aug 21 16:20 ..
-rw-r--r-- 1 root root 63536285 Aug 21 17:27 kernel-

And the binary RPM file in /usr/src/redhat/RPMS/i386/ (or x86_64 if you're running 64 bit). linux $ ls -al /usr/src/redhat/RPMS/i386/
total 120256
drwxr-xr-x 2 root root      4096 Aug 21 17:32 .
drwxr-xr-x 9 root root      4096 Aug 21 16:20 ..
-rw-r--r-- 1 root root 123002989 Aug 21 17:31 kernel-

Now it's time to install our custom kernel.

rpm -ivh --nodeps /usr/src/redhat/RPMS/i386/kernel-

And create the ramdisk for our system.

mkinitrd /boot/initrd-

Let's see what files were made in the /boot partition. We'll need these filenames to edit the grub config later on. linux $ ls -alh /boot/ | grep -i tproxy
-rw-r--r--  1 root root   73K Aug 21 17:27 config-
-rw-------  1 root root  3.2M Aug 21 17:33 initrd-
-rw-r--r--  1 root root 1015K Aug 21 17:27
-rw-r--r--  1 root root  1.9M Aug 21 17:27 vmlinuz-

And edit the menu-file.

vi /boot/grub/menu.lst

And add the following snippet below the "hiddenmenu" line, and right above the first kernel declaration. This consists of copying an already existing boot-item, and modify the vmlinuz and initrd locations.

title CentOS-Tproxy (
root (hd0,0)
kernel /vmlinuz- ro root=/dev/VolGroup00/LogVol00
initrd /initrd-

The /vmlinuz and /initrd should point to the filenames you discovered earlier. Please don't directly copy/paste the example above, but copy an entry from your file, and modify it (as to preserve the hard disk order and volume names).

Now reboot into your newly created kernel. Your boot screen would look a bit like this now, with a notice to the newly named kernel.

tproxy kernel

You can verify this once the server's booted up. ~ $ uname -a
Linux #1 SMP Sat Aug 21 17:22:41 CEST 2010 i686 i686 i386 GNU/Linux

Now we have our kernel with TPROXY support running, time to compile and patch our iptables to make use of it. To get started, download 1.4.0 iptables source. It's import you take the 1.4.0 version, newer versions won't work. (if the version is no longer available for download, here's a local copy).

cd /usr/src/
tar xjf iptables-1.4.0.tar.bz2

Now also download the tproxy iptables patch. (if the version is no longer available for download, here's a local copy)


Apply the tproxy path.

cd iptables-1.4.0/
cat ../tproxy-iptables-1.4*.patch | patch -p1
make && make install

Now you've installed both your kernel, and iptables, with the tproxy patch.


iptables full iptables source code
linux- full kernel source code
tproxy-iptables-1.4.0-20080521.patch: tproxy patch for iptables
tproxy-kernel-2.6.25-20080519.tar.bz2: tproxy patch for 2.6.25 kernel

.config: the .config file I used to compile my kernel (with all necessary modules checked)
kernel- rpm install file for a 32-bit (i386) kernel with tproxy support. Follow the "mkinitrd" steps above to install & use this kernel. The kernel is named "".

Troubleshooting: unknown match socket

If you've done the above steps, and still get the UNKNOWN match `socket' message in your iptables, you've probably skipped a kernel module required for this to work.

Troubleshooting: bad exit status during kernel compile

You could run into something similar to the following when compiling your kernel.

... [snip]
LD [M]  drivers/scsi/scsi_mod.o
LD      drivers/built-in.o
error: Bad exit status from /var/tmp/rpm-tmp.48540 (%build)

RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.48540 (%build)
make[1]: *** [rpm] Error 1
make: *** [rpm] Error 2

That will prevent you kernel from successfully compiling. It usually means you selected a kernel option with a certain dependency that wasn't checked. So it's dependent on an option, that's not being compiled.

Tricky part here is to track down which one, and I'm afraid to say I don't know how. Also, it's beyond the scope of this document. If you want to retry the compilation again, make sure to run:

cp .config .config_backup
make clean && make mrproper

to reset your current attempt, clear created files and reset the config back to zero. Your "broken" config can then still be found in the .config_backup file. In my experience, it's better to just start all over ...

You could also consider deleting the generated files in /usr/src/redhat/BUILD/kernel-* as they are obsolete now.

Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek, public speaker and podcaster. Currently working on DNS Spy. Follow me on Twitter as @mattiasgeniar.

I respect your privacy and you won't get spam. Ever.
Just a weekly newsletter about Linux and open source.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!


Reese Tuesday, September 14, 2010 at 10:20

Awesome tutorial, thanx! Just wish all howto’s was this simple…..


Matt Wednesday, September 15, 2010 at 16:04

third time?

I have followed your steps with no error until i get to this line:

cat ../tproxy-2.6.25-20080519/00* | patch -p1 –dry-run

After which, I am met with the folloing error:

1 out 7 hunks FAILED — saving rejects to file to net/ipv4/netfilter/

This is my second time through. I didnt notice that error the first time. However, when got the step “make rpm” it errored out. It wasnt until I tried just plain “make && make modules_install” that I was able to find that it couldnt link to the file listed above.

I have used all of the exact downloads you provided in your tutorial on the most recent version (as of this post) of CentOS 5.5.

Any insight is appreciated.



Matti Wednesday, September 15, 2010 at 16:38

Hi Matt,

First things to doublecheck:
– Kernel version you downloaded
– Delete what you already did, and download a fresh copy (without previous ‘make’ history)

You could also try to just download the very latest kernel, it should have (or so I’m told, but have not yet verified) TPROXY support by default, without having to go through the patch.

Also, the patch only needs to be applied once. If you’re doing this a second time, on the same files, don’t re-apply the patch.



Matt Wednesday, September 15, 2010 at 22:52

yes sir….

as stated in the post, i downloaded exactly what was posted in this tutorial by using the links and verified them, where possible, against the md5 files. the only possibility is if the links are not pointing to the appropriate versions.

only applied patch once. second time i tried was from a brand new fresh install of OS.


Matti Thursday, September 16, 2010 at 09:03

Matt, have you tried just downloading the very latest Linux kernel? It should allow you to get by without applying the patch, as it has TPROXY built-in (the rest of the steps, to active it, still apply).

I don’t immediately have an idea on where to search for your error, if you’ve followed the rest of the steps.



Christian Thursday, February 17, 2011 at 05:44

Excellent Tutorial. Followed all steps and I now have a new kernel. Thank you very much.


Alan Sunday, November 13, 2011 at 12:09

Brilliant tutoral. First time I’ve ever dabbled in installing a new kernel. Followed the steps and all went without a hitch!


ibnu Saturday, February 11, 2012 at 04:55

[root@CACHE ~]# mkinitrd /boot/initrd-2.6.25-tproxy.img 2.6.25-tproxy
No modules available for kernel “2.6.25-tproxy”.

why ?


    Matti Saturday, February 11, 2012 at 10:03

    Are you sure you named your kernel “2.6.25-tproxy”? And not “” or something?


santosh Thursday, August 16, 2012 at 08:02

ERROR: “tcp_splice_match” [net/netfilter/xt_socket.ko] undefined!
ERROR: “tcp_splice_init” [net/netfilter/xt_socket.ko] undefined!
ERROR: “tcp_splice_cleanup” [net/netfilter/xt_socket.ko] undefined!

this error is coming while “make rpm”


Ravi Wednesday, August 22, 2012 at 08:57


I am following your instructions and i get the following error while operating the command: make clean && make mrproper..

Makefile:1523: *** mixed implicit and normal rules. Stop.

Please kindly advise,,


Ahmd Saturday, February 9, 2013 at 21:32

dear All ,
just simple question .
now after performing the above steps .
do i need to compile the squid with tproxy enable ?


i can just use yum install squid without any new steps ???

with my best regards


Mattias Geniar Monday, February 11, 2013 at 09:18

This answer sucks, but it depends: if the packaged yum version is up-to-date and compiled with tproxy support, it will work. If not, you’ll have to compile it yourself.


Ahmd Monday, February 11, 2013 at 13:12

thnaks mattias

but i want to ask

what nest steps i need to do after the steps above

i mean do i need to configure iptables or any thing ??
plz support me with guide with step by step to operate tproxy with squid



    Mattias Geniar Monday, February 11, 2013 at 13:51

    This isn’t easy. In fact, if you rely on a step-by-step guide, I suggest to seek professional help. You’ll need to configure both iptables and your internal network to send all traffic referring to your webserver back to your transaparant proxy. If this sounds like chinese to you, I kindly suggest to talk to your hosting provider for help. Explaining this in a step-by-step blogpost would require several days of work, a luxury I don’t have at this moment.

    Good luck.


Ahmd Monday, February 11, 2013 at 15:20

hi ,
i understand you .
im a good linux user but not professional in squid.
now agian ,
as a brief steps what i need to do next ?
what will happen if i use ubuntu 12.4 last version instaed of centos .

do i need compile kernel ?? or it is compiled by default?



Ahmd Thursday, February 14, 2013 at 20:00

hi matt ,
i have somethig wrong in iptables :
“”ip_conntrack_netbios_ns [FAILED]””

i tried steps aove on centos 5.9 32 bits !!


[root@virus ~]# iptables -V
iptables v1.4.0
[root@virus ~]# serive iptables status
-bash: serive: command not found
[root@virus ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

[root@virus ~]# service iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
[root@virus ~]# service iptables start
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_ns [FAILED]
[root@virus ~]#

any help ?


Ahmd Thursday, February 14, 2013 at 20:04

hi matt , i solved it :
1-edit the “/etc/sysconfig/iptables-config” file
2-Change the following two options to look like the following:

what squid version do u recommedn to use on centos 5.9 after patching ??


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links