1 Transparent proxy support
2 =========================
4 This feature adds Linux 2.2-like transparent proxy support to current kernels.
5 To use it, enable the socket match and the TPROXY target in your kernel config.
6 You will need policy routing too, so be sure to enable that as well.
9 1. Making non-local sockets work
10 ================================
12 The idea is that you identify packets with destination address matching a local
13 socket on your box, set the packet mark to a certain value, and then match on that
14 value using policy routing to have those packets delivered locally:
16 # iptables -t mangle -N DIVERT
17 # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
18 # iptables -t mangle -A DIVERT -j MARK --set-mark 1
19 # iptables -t mangle -A DIVERT -j ACCEPT
21 # ip rule add fwmark 1 lookup 100
22 # ip route add local 0.0.0.0/0 dev lo table 100
24 Because of certain restrictions in the IPv4 routing output code you'll have to
25 modify your application to allow it to send datagrams _from_ non-local IP
26 addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket
27 option before calling bind:
29 fd = socket(AF_INET, SOCK_STREAM, 0);
32 setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));
34 name.sin_family = AF_INET;
35 name.sin_port = htons(0xCAFE);
36 name.sin_addr.s_addr = htonl(0xDEADBEEF);
37 bind(fd, &name, sizeof(name));
39 A trivial patch for netcat is available here:
40 http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch
43 2. Redirecting traffic
44 ======================
46 Transparent proxying often involves "intercepting" traffic on a router. This is
47 usually done with the iptables REDIRECT target; however, there are serious
48 limitations of that method. One of the major issues is that it actually
49 modifies the packets to change the destination address -- which might not be
50 acceptable in certain situations. (Think of proxying UDP for example: you won't
51 be able to find out the original destination address. Even in case of TCP
52 getting the original destination address is racy.)
54 The 'TPROXY' target provides similar functionality without relying on NAT. Simply
55 add rules like this to the iptables ruleset above:
57 # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
58 --tproxy-mark 0x1/0x1 --on-port 50080
60 Note that for this to work you'll have to modify the proxy to enable (SOL_IP,
61 IP_TRANSPARENT) for the listening socket.
64 3. Iptables extensions
65 ======================
67 To use tproxy you'll need to have the 'socket' and 'TPROXY' modules
68 compiled for iptables. A patched version of iptables is available
69 here: http://git.balabit.hu/?p=bazsi/iptables-tproxy.git
72 4. Application support
73 ======================
78 Squid 3.HEAD has support built-in. To use it, pass
79 '--enable-linux-netfilter' to configure and set the 'tproxy' option on
80 the HTTP listener you redirect traffic to with the TPROXY iptables
83 For more information please consult the following page on the Squid
84 wiki: http://wiki.squid-cache.org/Features/Tproxy4