]>
Commit | Line | Data |
---|---|---|
d2f26037 KK |
1 | Transparent proxy support |
2 | ========================= | |
3 | ||
4 | This feature adds Linux 2.2-like transparent proxy support to current kernels. | |
5 | To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in | |
6 | your kernel config. You will need policy routing too, so be sure to enable that | |
7 | as well. | |
8 | ||
9 | ||
10 | 1. Making non-local sockets work | |
11 | ================================ | |
12 | ||
13 | The idea is that you identify packets with destination address matching a local | |
14 | socket on your box, set the packet mark to a certain value, and then match on that | |
15 | value using policy routing to have those packets delivered locally: | |
16 | ||
17 | # iptables -t mangle -N DIVERT | |
18 | # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT | |
19 | # iptables -t mangle -A DIVERT -j MARK --set-mark 1 | |
20 | # iptables -t mangle -A DIVERT -j ACCEPT | |
21 | ||
22 | # ip rule add fwmark 1 lookup 100 | |
23 | # ip route add local 0.0.0.0/0 dev lo table 100 | |
24 | ||
25 | Because of certain restrictions in the IPv4 routing output code you'll have to | |
26 | modify your application to allow it to send datagrams _from_ non-local IP | |
27 | addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket | |
28 | option before calling bind: | |
29 | ||
30 | fd = socket(AF_INET, SOCK_STREAM, 0); | |
31 | /* - 8< -*/ | |
32 | int value = 1; | |
33 | setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); | |
34 | /* - 8< -*/ | |
35 | name.sin_family = AF_INET; | |
36 | name.sin_port = htons(0xCAFE); | |
37 | name.sin_addr.s_addr = htonl(0xDEADBEEF); | |
38 | bind(fd, &name, sizeof(name)); | |
39 | ||
40 | A trivial patch for netcat is available here: | |
41 | http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch | |
42 | ||
43 | ||
44 | 2. Redirecting traffic | |
45 | ====================== | |
46 | ||
47 | Transparent proxying often involves "intercepting" traffic on a router. This is | |
48 | usually done with the iptables REDIRECT target; however, there are serious | |
49 | limitations of that method. One of the major issues is that it actually | |
50 | modifies the packets to change the destination address -- which might not be | |
51 | acceptable in certain situations. (Think of proxying UDP for example: you won't | |
52 | be able to find out the original destination address. Even in case of TCP | |
53 | getting the original destination address is racy.) | |
54 | ||
55 | The 'TPROXY' target provides similar functionality without relying on NAT. Simply | |
56 | add rules like this to the iptables ruleset above: | |
57 | ||
58 | # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ | |
59 | --tproxy-mark 0x1/0x1 --on-port 50080 | |
60 | ||
61 | Note that for this to work you'll have to modify the proxy to enable (SOL_IP, | |
62 | IP_TRANSPARENT) for the listening socket. | |
63 | ||
64 | ||
65 | 3. Iptables extensions | |
66 | ====================== | |
67 | ||
68 | To use tproxy you'll need to have the 'socket' and 'TPROXY' modules | |
69 | compiled for iptables. A patched version of iptables is available | |
70 | here: http://git.balabit.hu/?p=bazsi/iptables-tproxy.git | |
71 | ||
72 | ||
73 | 4. Application support | |
74 | ====================== | |
75 | ||
76 | 4.1. Squid | |
77 | ---------- | |
78 | ||
79 | Squid 3.HEAD has support built-in. To use it, pass | |
80 | '--enable-linux-netfilter' to configure and set the 'tproxy' option on | |
81 | the HTTP listener you redirect traffic to with the TPROXY iptables | |
82 | target. | |
83 | ||
84 | For more information please consult the following page on the Squid | |
85 | wiki: http://wiki.squid-cache.org/Features/Tproxy4 |