netfilter: Add documentation for tproxy

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add basic usage instructions to Documentation/networking.

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

authored by

KOVACS Krisztian and committed by

Patrick McHardy 17 years ago d2f26037 e8439270

+85

1 changed file

expand all

Documentation

networking

tproxy.txt

+85

Documentation/networking/tproxy.txt

··· 1 + Transparent proxy support 2 + ========================= 3 + 4 + This feature adds Linux 2.2-like transparent proxy support to current kernels. 5 + To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in 6 + your kernel config. You will need policy routing too, so be sure to enable that 7 + as well. 8 + 9 + 10 + 1. Making non-local sockets work 11 + ================================ 12 + 13 + The idea is that you identify packets with destination address matching a local 14 + socket on your box, set the packet mark to a certain value, and then match on that 15 + value using policy routing to have those packets delivered locally: 16 + 17 + # iptables -t mangle -N DIVERT 18 + # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT 19 + # iptables -t mangle -A DIVERT -j MARK --set-mark 1 20 + # iptables -t mangle -A DIVERT -j ACCEPT 21 + 22 + # ip rule add fwmark 1 lookup 100 23 + # ip route add local 0.0.0.0/0 dev lo table 100 24 + 25 + Because of certain restrictions in the IPv4 routing output code you'll have to 26 + modify your application to allow it to send datagrams _from_ non-local IP 27 + addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket 28 + option before calling bind: 29 + 30 + fd = socket(AF_INET, SOCK_STREAM, 0); 31 + /* - 8< -*/ 32 + int value = 1; 33 + setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); 34 + /* - 8< -*/ 35 + name.sin_family = AF_INET; 36 + name.sin_port = htons(0xCAFE); 37 + name.sin_addr.s_addr = htonl(0xDEADBEEF); 38 + bind(fd, &name, sizeof(name)); 39 + 40 + A trivial patch for netcat is available here: 41 + http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch 42 + 43 + 44 + 2. Redirecting traffic 45 + ====================== 46 + 47 + Transparent proxying often involves "intercepting" traffic on a router. This is 48 + usually done with the iptables REDIRECT target; however, there are serious 49 + limitations of that method. One of the major issues is that it actually 50 + modifies the packets to change the destination address -- which might not be 51 + acceptable in certain situations. (Think of proxying UDP for example: you won't 52 + be able to find out the original destination address. Even in case of TCP 53 + getting the original destination address is racy.) 54 + 55 + The 'TPROXY' target provides similar functionality without relying on NAT. Simply 56 + add rules like this to the iptables ruleset above: 57 + 58 + # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ 59 + --tproxy-mark 0x1/0x1 --on-port 50080 60 + 61 + Note that for this to work you'll have to modify the proxy to enable (SOL_IP, 62 + IP_TRANSPARENT) for the listening socket. 63 + 64 + 65 + 3. Iptables extensions 66 + ====================== 67 + 68 + To use tproxy you'll need to have the 'socket' and 'TPROXY' modules 69 + compiled for iptables. A patched version of iptables is available 70 + here: http://git.balabit.hu/?p=bazsi/iptables-tproxy.git 71 + 72 + 73 + 4. Application support 74 + ====================== 75 + 76 + 4.1. Squid 77 + ---------- 78 + 79 + Squid 3.HEAD has support built-in. To use it, pass 80 + '--enable-linux-netfilter' to configure and set the 'tproxy' option on 81 + the HTTP listener you redirect traffic to with the TPROXY iptables 82 + target. 83 + 84 + For more information please consult the following page on the Squid 85 + wiki: http://wiki.squid-cache.org/Features/Tproxy4