Commit | Line | Data |
---|---|---|
d2f26037 KK |
1 | Transparent proxy support |
2 | ========================= | |
3 | ||
4 | This feature adds Linux 2.2-like transparent proxy support to current kernels. | |
fd158d79 FW |
5 | To use it, enable the socket match and the TPROXY target in your kernel config. |
6 | You will need policy routing too, so be sure to enable that as well. | |
d2f26037 KK |
7 | |
8 | ||
9 | 1. Making non-local sockets work | |
10 | ================================ | |
11 | ||
12 | The idea is that you identify packets with destination address matching a local | |
13 | socket on your box, set the packet mark to a certain value, and then match on that | |
14 | value using policy routing to have those packets delivered locally: | |
15 | ||
16 | # iptables -t mangle -N DIVERT | |
17 | # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT | |
18 | # iptables -t mangle -A DIVERT -j MARK --set-mark 1 | |
19 | # iptables -t mangle -A DIVERT -j ACCEPT | |
20 | ||
21 | # ip rule add fwmark 1 lookup 100 | |
22 | # ip route add local 0.0.0.0/0 dev lo table 100 | |
23 | ||
24 | Because of certain restrictions in the IPv4 routing output code you'll have to | |
25 | modify your application to allow it to send datagrams _from_ non-local IP | |
26 | addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket | |
27 | option before calling bind: | |
28 | ||
29 | fd = socket(AF_INET, SOCK_STREAM, 0); | |
30 | /* - 8< -*/ | |
31 | int value = 1; | |
32 | setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); | |
33 | /* - 8< -*/ | |
34 | name.sin_family = AF_INET; | |
35 | name.sin_port = htons(0xCAFE); | |
36 | name.sin_addr.s_addr = htonl(0xDEADBEEF); | |
37 | bind(fd, &name, sizeof(name)); | |
38 | ||
39 | A trivial patch for netcat is available here: | |
40 | http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch | |
41 | ||
42 | ||
43 | 2. Redirecting traffic | |
44 | ====================== | |
45 | ||
46 | Transparent proxying often involves "intercepting" traffic on a router. This is | |
47 | usually done with the iptables REDIRECT target; however, there are serious | |
48 | limitations of that method. One of the major issues is that it actually | |
49 | modifies the packets to change the destination address -- which might not be | |
50 | acceptable in certain situations. (Think of proxying UDP for example: you won't | |
51 | be able to find out the original destination address. Even in case of TCP | |
52 | getting the original destination address is racy.) | |
53 | ||
54 | The 'TPROXY' target provides similar functionality without relying on NAT. Simply | |
55 | add rules like this to the iptables ruleset above: | |
56 | ||
57 | # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ | |
58 | --tproxy-mark 0x1/0x1 --on-port 50080 | |
59 | ||
60 | Note that for this to work you'll have to modify the proxy to enable (SOL_IP, | |
61 | IP_TRANSPARENT) for the listening socket. | |
62 | ||
63 | ||
64 | 3. Iptables extensions | |
65 | ====================== | |
66 | ||
67 | To use tproxy you'll need to have the 'socket' and 'TPROXY' modules | |
68 | compiled for iptables. A patched version of iptables is available | |
69 | here: http://git.balabit.hu/?p=bazsi/iptables-tproxy.git | |
70 | ||
71 | ||
72 | 4. Application support | |
73 | ====================== | |
74 | ||
75 | 4.1. Squid | |
76 | ---------- | |
77 | ||
78 | Squid 3.HEAD has support built-in. To use it, pass | |
79 | '--enable-linux-netfilter' to configure and set the 'tproxy' option on | |
80 | the HTTP listener you redirect traffic to with the TPROXY iptables | |
81 | target. | |
82 | ||
83 | For more information please consult the following page on the Squid | |
84 | wiki: http://wiki.squid-cache.org/Features/Tproxy4 |