| Transparent proxy support |
| ========================= |
| |
| This feature adds Linux 2.2-like transparent proxy support to current kernels. |
| To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in |
| your kernel config. You will need policy routing too, so be sure to enable that |
| as well. |
| |
| |
| 1. Making non-local sockets work |
| ================================ |
| |
| The idea is that you identify packets with destination address matching a local |
| socket on your box, set the packet mark to a certain value, and then match on that |
| value using policy routing to have those packets delivered locally: |
| |
| # iptables -t mangle -N DIVERT |
| # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT |
| # iptables -t mangle -A DIVERT -j MARK --set-mark 1 |
| # iptables -t mangle -A DIVERT -j ACCEPT |
| |
| # ip rule add fwmark 1 lookup 100 |
| # ip route add local 0.0.0.0/0 dev lo table 100 |
| |
| Because of certain restrictions in the IPv4 routing output code you'll have to |
| modify your application to allow it to send datagrams _from_ non-local IP |
| addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket |
| option before calling bind: |
| |
| fd = socket(AF_INET, SOCK_STREAM, 0); |
| /* - 8< -*/ |
| int value = 1; |
| setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); |
| /* - 8< -*/ |
| name.sin_family = AF_INET; |
| name.sin_port = htons(0xCAFE); |
| name.sin_addr.s_addr = htonl(0xDEADBEEF); |
| bind(fd, &name, sizeof(name)); |
| |
| A trivial patch for netcat is available here: |
| http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch |
| |
| |
| 2. Redirecting traffic |
| ====================== |
| |
| Transparent proxying often involves "intercepting" traffic on a router. This is |
| usually done with the iptables REDIRECT target; however, there are serious |
| limitations of that method. One of the major issues is that it actually |
| modifies the packets to change the destination address -- which might not be |
| acceptable in certain situations. (Think of proxying UDP for example: you won't |
| be able to find out the original destination address. Even in case of TCP |
| getting the original destination address is racy.) |
| |
| The 'TPROXY' target provides similar functionality without relying on NAT. Simply |
| add rules like this to the iptables ruleset above: |
| |
| # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ |
| --tproxy-mark 0x1/0x1 --on-port 50080 |
| |
| Note that for this to work you'll have to modify the proxy to enable (SOL_IP, |
| IP_TRANSPARENT) for the listening socket. |
| |
| |
| 3. Iptables extensions |
| ====================== |
| |
| To use tproxy you'll need to have the 'socket' and 'TPROXY' modules |
| compiled for iptables. A patched version of iptables is available |
| here: http://git.balabit.hu/?p=bazsi/iptables-tproxy.git |
| |
| |
| 4. Application support |
| ====================== |
| |
| 4.1. Squid |
| ---------- |
| |
| Squid 3.HEAD has support built-in. To use it, pass |
| '--enable-linux-netfilter' to configure and set the 'tproxy' option on |
| the HTTP listener you redirect traffic to with the TPROXY iptables |
| target. |
| |
| For more information please consult the following page on the Squid |
| wiki: http://wiki.squid-cache.org/Features/Tproxy4 |
