| KOVACS Krisztian | d2f26037 | 2008-10-08 11:35:12 +0200 | [diff] [blame] | 1 | Transparent proxy support |
| 2 | ========================= |
| 3 | |
| 4 | This feature adds Linux 2.2-like transparent proxy support to current kernels. |
| 5 | To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in |
| 6 | your kernel config. You will need policy routing too, so be sure to enable that |
| 7 | as well. |
| 8 | |
| 9 | |
| 10 | 1. Making non-local sockets work |
| 11 | ================================ |
| 12 | |
| 13 | The idea is that you identify packets with destination address matching a local |
| 14 | socket on your box, set the packet mark to a certain value, and then match on that |
| 15 | value using policy routing to have those packets delivered locally: |
| 16 | |
| 17 | # iptables -t mangle -N DIVERT |
| 18 | # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT |
| 19 | # iptables -t mangle -A DIVERT -j MARK --set-mark 1 |
| 20 | # iptables -t mangle -A DIVERT -j ACCEPT |
| 21 | |
| 22 | # ip rule add fwmark 1 lookup 100 |
| 23 | # ip route add local 0.0.0.0/0 dev lo table 100 |
| 24 | |
| 25 | Because of certain restrictions in the IPv4 routing output code you'll have to |
| 26 | modify your application to allow it to send datagrams _from_ non-local IP |
| 27 | addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket |
| 28 | option before calling bind: |
| 29 | |
| 30 | fd = socket(AF_INET, SOCK_STREAM, 0); |
| 31 | /* - 8< -*/ |
| 32 | int value = 1; |
| 33 | setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); |
| 34 | /* - 8< -*/ |
| 35 | name.sin_family = AF_INET; |
| 36 | name.sin_port = htons(0xCAFE); |
| 37 | name.sin_addr.s_addr = htonl(0xDEADBEEF); |
| 38 | bind(fd, &name, sizeof(name)); |
| 39 | |
| 40 | A trivial patch for netcat is available here: |
| 41 | http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch |
| 42 | |
| 43 | |
| 44 | 2. Redirecting traffic |
| 45 | ====================== |
| 46 | |
| 47 | Transparent proxying often involves "intercepting" traffic on a router. This is |
| 48 | usually done with the iptables REDIRECT target; however, there are serious |
| 49 | limitations of that method. One of the major issues is that it actually |
| 50 | modifies the packets to change the destination address -- which might not be |
| 51 | acceptable in certain situations. (Think of proxying UDP for example: you won't |
| 52 | be able to find out the original destination address. Even in case of TCP |
| 53 | getting the original destination address is racy.) |
| 54 | |
| 55 | The 'TPROXY' target provides similar functionality without relying on NAT. Simply |
| 56 | add rules like this to the iptables ruleset above: |
| 57 | |
| 58 | # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ |
| 59 | --tproxy-mark 0x1/0x1 --on-port 50080 |
| 60 | |
| 61 | Note that for this to work you'll have to modify the proxy to enable (SOL_IP, |
| 62 | IP_TRANSPARENT) for the listening socket. |
| 63 | |
| 64 | |
| 65 | 3. Iptables extensions |
| 66 | ====================== |
| 67 | |
| 68 | To use tproxy you'll need to have the 'socket' and 'TPROXY' modules |
| 69 | compiled for iptables. A patched version of iptables is available |
| 70 | here: http://git.balabit.hu/?p=bazsi/iptables-tproxy.git |
| 71 | |
| 72 | |
| 73 | 4. Application support |
| 74 | ====================== |
| 75 | |
| 76 | 4.1. Squid |
| 77 | ---------- |
| 78 | |
| 79 | Squid 3.HEAD has support built-in. To use it, pass |
| 80 | '--enable-linux-netfilter' to configure and set the 'tproxy' option on |
| 81 | the HTTP listener you redirect traffic to with the TPROXY iptables |
| 82 | target. |
| 83 | |
| 84 | For more information please consult the following page on the Squid |
| 85 | wiki: http://wiki.squid-cache.org/Features/Tproxy4 |