- What is transparent proxy in linux
- Transparent proxy support¶
- 1. Making non-local sockets work¶
- 2. Redirecting traffic¶
- 3. Iptables and nf_tables extensions¶
- 4. Application support¶
- 4.1. Squid¶
- Transparent proxy support¶
- 1. Making non-local sockets work¶
- 2. Redirecting traffic¶
- 3. Iptables and nf_tables extensions¶
- 4. Application support¶
- 4.1. Squid¶
What is transparent proxy in linux
This is where transparent proxying comes in. A web request can be intercepted by the proxy, transparently. That is, as far as the client software knows, it is talking to the origin server itself, when it is really talking to the proxy server. (Note that the transparency only applies to the client; the server knows that a proxy is involved, and will see the IP address of the proxy, not the IP address of the user. Although, squid may pass an X-Forwarded-For header, so that the server can determine the original user’s IP address if it groks that header).
Cisco routers support transparent proxying. So do many switches. But, (surprisingly enough) Linux can act as a router, and can perform transparent proxying by redirecting TCP connections to local ports. However, we also need to make our web proxy aware of the affect of the redirection, so that it can make connections to the proper origin servers. There are two general ways this works:
The first is when your web proxy is not transparent proxy aware. You can use a nifty little daemon called transproxy that sits in front of your web proxy and takes care of all the messy details for you. transproxy was written by John Saunders, and is available from
ftp://ftp.nlc.net.au/pub/linux/www/ or your local metalab mirror. transproxy will not be discussed further in this document.
A cleaner solution is to get a web proxy that is aware of transparent proxying itself. The one we are going to focus on here is squid. Squid is an Open Source caching proxy server for Unix systems. It is available from www.squid-cache.org
Alternatively, instead of redirecting the connections to local ports, we could redirect the connections to remote ports. This is discussed in the Transparent Proxy to a Remote Box section. Readers interested in this approach should skip down to that section. Readers interested on doing everything on one box can safely ignore that section.
This document will focus on squid version 2.4 and Linux kernel version 2.4, the most current stable releases as of this writing (August 2002). It should also work with most of the later 2.3 kernels. If you need information about earlier releases of squid or Linux, you can find some earlier documents at http://users.gurulink.com/transproxy/. Note that this site has moved from it’s previous location.
If you are using a development kernel or a development version of squid, you are on your own. This document may help you, but YMMV.
Note that this document focuses only on HTTP proxing. I get many emails asking about transparent FTP proxying. Squid can’t do it. Now, allegedly a program called Frox can. I have not tried this myself, so I cannot say how well it works. You can find it at http://www.hollo32.fsnet.co.uk/frox/.
I only focus on squid here, but Apache can also function as a caching proxy server. (If you are not sure which to use, I recommend squid, since it was built from the ground up to be a caching proxy server, Apache’s caching proxy features are more of afterthought additions to an already existing system.) If you want use Apache instead of squid: follow all the instructions in this document that pertain to the kernel and iptables rules. Ignore the squid specific sections, and instead look at http://lupo.campus.uniroma2.it/progetti/mod_tproxy/ for source code and instructions for a transparent proxy module for Apache (thanks to Cristiano Paris (c.paris@libero.it) for contributing this).
Finally, as far as transparently proxing HTTPS (e.g. secure web pages using SSL, TSL, etc.), you can’t do it. Don’t even ask. For the explanation, do a search for ‘man-in-the-middle attack’. Note that you probably don’t really need to transparently proxy HTTPS anyway, since squid can not cache secure pages.
You cannot use Proxy Authentication transparently. See the Squid FAQ for (slightly) more details. Next Previous Contents
Transparent proxy support¶
This feature adds Linux 2.2-like transparent proxy support to current kernels. To use it, enable the socket match and the TPROXY target in your kernel config. You will need policy routing too, so be sure to enable that as well.
From Linux 4.18 transparent proxy support is also available in nf_tables.
1. Making non-local sockets work¶
The idea is that you identify packets with destination address matching a local socket on your box, set the packet mark to a certain value:
# iptables -t mangle -N DIVERT # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT # iptables -t mangle -A DIVERT -j MARK --set-mark 1 # iptables -t mangle -A DIVERT -j ACCEPT
Alternatively you can do this in nft with the following commands:
# nft add table filter # nft add chain filter divert "< type filter hook prerouting priority -150; >" # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
And then match on that value using policy routing to have those packets delivered locally:
# ip rule add fwmark 1 lookup 100 # ip route add local 0.0.0.0/0 dev lo table 100
Because of certain restrictions in the IPv4 routing output code you’ll have to modify your application to allow it to send datagrams _from_ non-local IP addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket option before calling bind:
fd = socket(AF_INET, SOCK_STREAM, 0); /* - 8< -*/ int value = 1; setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); /* - 8< -*/ name.sin_family = AF_INET; name.sin_port = htons(0xCAFE); name.sin_addr.s_addr = htonl(0xDEADBEEF); bind(fd, &name, sizeof(name));
2. Redirecting traffic¶
Transparent proxying often involves "intercepting" traffic on a router. This is usually done with the iptables REDIRECT target; however, there are serious limitations of that method. One of the major issues is that it actually modifies the packets to change the destination address -- which might not be acceptable in certain situations. (Think of proxying UDP for example: you won't be able to find out the original destination address. Even in case of TCP getting the original destination address is racy.)
The 'TPROXY' target provides similar functionality without relying on NAT. Simply add rules like this to the iptables ruleset above:
# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 --on-port 50080
Or the following rule to nft:
# nft add rule filter divert tcp dport 80 tproxy to :50080 meta mark set 1 accept
Note that for this to work you'll have to modify the proxy to enable (SOL_IP, IP_TRANSPARENT) for the listening socket.
As an example implementation, tcprdr is available here: https://git.breakpoint.cc/cgit/fw/tcprdr.git/ This tool is written by Florian Westphal and it was used for testing during the nf_tables implementation.
3. Iptables and nf_tables extensions¶
To use tproxy you'll need to have the following modules compiled for iptables:
Or the floowing modules for nf_tables:
4. Application support¶
4.1. Squid¶
Squid 3.HEAD has support built-in. To use it, pass '--enable-linux-netfilter' to configure and set the 'tproxy' option on the HTTP listener you redirect traffic to with the TPROXY iptables target.
Transparent proxy support¶
This feature adds Linux 2.2-like transparent proxy support to current kernels. To use it, enable the socket match and the TPROXY target in your kernel config. You will need policy routing too, so be sure to enable that as well.
From Linux 4.18 transparent proxy support is also available in nf_tables.
1. Making non-local sockets work¶
The idea is that you identify packets with destination address matching a local socket on your box, set the packet mark to a certain value:
# iptables -t mangle -N DIVERT # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT # iptables -t mangle -A DIVERT -j MARK --set-mark 1 # iptables -t mangle -A DIVERT -j ACCEPT
Alternatively you can do this in nft with the following commands:
# nft add table filter # nft add chain filter divert "< type filter hook prerouting priority -150; >" # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
And then match on that value using policy routing to have those packets delivered locally:
# ip rule add fwmark 1 lookup 100 # ip route add local 0.0.0.0/0 dev lo table 100
Because of certain restrictions in the IPv4 routing output code you'll have to modify your application to allow it to send datagrams _from_ non-local IP addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket option before calling bind:
fd = socket(AF_INET, SOCK_STREAM, 0); /* - 8< -*/ int value = 1; setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); /* - 8< -*/ name.sin_family = AF_INET; name.sin_port = htons(0xCAFE); name.sin_addr.s_addr = htonl(0xDEADBEEF); bind(fd, &name, sizeof(name));
2. Redirecting traffic¶
Transparent proxying often involves "intercepting" traffic on a router. This is usually done with the iptables REDIRECT target; however, there are serious limitations of that method. One of the major issues is that it actually modifies the packets to change the destination address -- which might not be acceptable in certain situations. (Think of proxying UDP for example: you won't be able to find out the original destination address. Even in case of TCP getting the original destination address is racy.)
The 'TPROXY' target provides similar functionality without relying on NAT. Simply add rules like this to the iptables ruleset above:
# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 --on-port 50080
Or the following rule to nft:
# nft add rule filter divert tcp dport 80 tproxy to :50080 meta mark set 1 accept
Note that for this to work you'll have to modify the proxy to enable (SOL_IP, IP_TRANSPARENT) for the listening socket.
As an example implementation, tcprdr is available here: https://git.breakpoint.cc/cgit/fw/tcprdr.git/ This tool is written by Florian Westphal and it was used for testing during the nf_tables implementation.
3. Iptables and nf_tables extensions¶
To use tproxy you'll need to have the following modules compiled for iptables:
Or the floowing modules for nf_tables:
4. Application support¶
4.1. Squid¶
Squid 3.HEAD has support built-in. To use it, pass '--enable-linux-netfilter' to configure and set the 'tproxy' option on the HTTP listener you redirect traffic to with the TPROXY iptables target.