tproxy.rst (3903B)
1.. SPDX-License-Identifier: GPL-2.0 2 3========================= 4Transparent proxy support 5========================= 6 7This feature adds Linux 2.2-like transparent proxy support to current kernels. 8To use it, enable the socket match and the TPROXY target in your kernel config. 9You will need policy routing too, so be sure to enable that as well. 10 11From Linux 4.18 transparent proxy support is also available in nf_tables. 12 131. Making non-local sockets work 14================================ 15 16The idea is that you identify packets with destination address matching a local 17socket on your box, set the packet mark to a certain value:: 18 19 # iptables -t mangle -N DIVERT 20 # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT 21 # iptables -t mangle -A DIVERT -j MARK --set-mark 1 22 # iptables -t mangle -A DIVERT -j ACCEPT 23 24Alternatively you can do this in nft with the following commands:: 25 26 # nft add table filter 27 # nft add chain filter divert "{ type filter hook prerouting priority -150; }" 28 # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept 29 30And then match on that value using policy routing to have those packets 31delivered locally:: 32 33 # ip rule add fwmark 1 lookup 100 34 # ip route add local 0.0.0.0/0 dev lo table 100 35 36Because of certain restrictions in the IPv4 routing output code you'll have to 37modify your application to allow it to send datagrams _from_ non-local IP 38addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket 39option before calling bind:: 40 41 fd = socket(AF_INET, SOCK_STREAM, 0); 42 /* - 8< -*/ 43 int value = 1; 44 setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); 45 /* - 8< -*/ 46 name.sin_family = AF_INET; 47 name.sin_port = htons(0xCAFE); 48 name.sin_addr.s_addr = htonl(0xDEADBEEF); 49 bind(fd, &name, sizeof(name)); 50 51A trivial patch for netcat is available here: 52http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch 53 54 552. Redirecting traffic 56====================== 57 58Transparent proxying often involves "intercepting" traffic on a router. This is 59usually done with the iptables REDIRECT target; however, there are serious 60limitations of that method. One of the major issues is that it actually 61modifies the packets to change the destination address -- which might not be 62acceptable in certain situations. (Think of proxying UDP for example: you won't 63be able to find out the original destination address. Even in case of TCP 64getting the original destination address is racy.) 65 66The 'TPROXY' target provides similar functionality without relying on NAT. Simply 67add rules like this to the iptables ruleset above:: 68 69 # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ 70 --tproxy-mark 0x1/0x1 --on-port 50080 71 72Or the following rule to nft: 73 74# nft add rule filter divert tcp dport 80 tproxy to :50080 meta mark set 1 accept 75 76Note that for this to work you'll have to modify the proxy to enable (SOL_IP, 77IP_TRANSPARENT) for the listening socket. 78 79As an example implementation, tcprdr is available here: 80https://git.breakpoint.cc/cgit/fw/tcprdr.git/ 81This tool is written by Florian Westphal and it was used for testing during the 82nf_tables implementation. 83 843. Iptables and nf_tables extensions 85==================================== 86 87To use tproxy you'll need to have the following modules compiled for iptables: 88 89 - NETFILTER_XT_MATCH_SOCKET 90 - NETFILTER_XT_TARGET_TPROXY 91 92Or the floowing modules for nf_tables: 93 94 - NFT_SOCKET 95 - NFT_TPROXY 96 974. Application support 98====================== 99 1004.1. Squid 101---------- 102 103Squid 3.HEAD has support built-in. To use it, pass 104'--enable-linux-netfilter' to configure and set the 'tproxy' option on 105the HTTP listener you redirect traffic to with the TPROXY iptables 106target. 107 108For more information please consult the following page on the Squid 109wiki: http://wiki.squid-cache.org/Features/Tproxy4