Eric Lee / smarc-fsl-linux-kernel

Blame view

Documentation/networking/tproxy.txt 3 KB
edit raw normal view history
d2f26037a   KOVACS Krisztian   netfilter: Add do... 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
  Transparent proxy support
  =========================
  
  This feature adds Linux 2.2-like transparent proxy support to current kernels.
  To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in
  your kernel config. You will need policy routing too, so be sure to enable that
  as well.
  
  
  1. Making non-local sockets work
  ================================
  
  The idea is that you identify packets with destination address matching a local
  socket on your box, set the packet mark to a certain value, and then match on that
  value using policy routing to have those packets delivered locally:
  
  # iptables -t mangle -N DIVERT
  # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
  # iptables -t mangle -A DIVERT -j MARK --set-mark 1
  # iptables -t mangle -A DIVERT -j ACCEPT
  
  # ip rule add fwmark 1 lookup 100
  # ip route add local 0.0.0.0/0 dev lo table 100
  
  Because of certain restrictions in the IPv4 routing output code you'll have to
  modify your application to allow it to send datagrams _from_ non-local IP
  addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket
  option before calling bind:
  
  fd = socket(AF_INET, SOCK_STREAM, 0);
  /* - 8< -*/
  int value = 1;
  setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));
  /* - 8< -*/
  name.sin_family = AF_INET;
  name.sin_port = htons(0xCAFE);
  name.sin_addr.s_addr = htonl(0xDEADBEEF);
  bind(fd, &name, sizeof(name));
  
  A trivial patch for netcat is available here:
  http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch
  
  
  2. Redirecting traffic
  ======================
  
  Transparent proxying often involves "intercepting" traffic on a router. This is
  usually done with the iptables REDIRECT target; however, there are serious
  limitations of that method. One of the major issues is that it actually
  modifies the packets to change the destination address -- which might not be
  acceptable in certain situations. (Think of proxying UDP for example: you won't
  be able to find out the original destination address. Even in case of TCP
  getting the original destination address is racy.)
  
  The 'TPROXY' target provides similar functionality without relying on NAT. Simply
  add rules like this to the iptables ruleset above:
  
  # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
    --tproxy-mark 0x1/0x1 --on-port 50080
  
  Note that for this to work you'll have to modify the proxy to enable (SOL_IP,
  IP_TRANSPARENT) for the listening socket.
  
  
  3. Iptables extensions
  ======================
  
  To use tproxy you'll need to have the 'socket' and 'TPROXY' modules
  compiled for iptables. A patched version of iptables is available
  here: http://git.balabit.hu/?p=bazsi/iptables-tproxy.git
  
  
  4. Application support
  ======================
  
  4.1. Squid
  ----------
  
  Squid 3.HEAD has support built-in. To use it, pass
  '--enable-linux-netfilter' to configure and set the 'tproxy' option on
  the HTTP listener you redirect traffic to with the TPROXY iptables
  target.
  
  For more information please consult the following page on the Squid
  wiki: http://wiki.squid-cache.org/Features/Tproxy4