Transparent proxy support ========================= This featureadds Linux 2.2-like transparent proxy support to current kernels.Touse it, enable NETFILTER_TPROXY, the socket match and the TPROXYtarget inyour kernel config. You will need policy routing too, sobe sure to enable thatas well. 1. Making non-local sockets work================================ The idea is that you identifypackets with destination address matching a localsocket on yourbox, set the packet mark to a certain value, and then match onthatvalue using policy routing to have those packets deliveredlocally: # iptables -t mangle -N DIVERT # iptables -t mangle -APREROUTING -p tcp -m socket -j DIVERT # iptables -t mangle -ADIVERT -j MARK --set-
加载中...
内容加载失败,点击此处重试
加载全文
mark 1 # iptables -t mangle -A DIVERT -j ACCEPT # ip rule addfwmark 1 lookup 100 # ip route add local 0.0.0.0/0 dev lo table 100Because of certain restrictions in the IPv4 routing output codeyou"ll have to modify your application to allow it to senddatagrams _from_ non-local IP addresses. All you have to do isenable the (SOL_IP, IP_TRANSPARENT) socket option before callingbind: fd = socket(AF_INET, SOCK_STREAM, 0); int value = 1;setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));name.sin_family = AF_INET; name.sin_port = htons(0xCAFE);name.sin_addr.s_addr = htonl(0xDEADBEEF); bind(fd, &name,sizeof(name)); A trivial patch for netcat is available here:/hidden/tproxy/netcat-ip_transparent-support.patch2. Redirecting traffic ====================== Transparent proxyingoften involves "intercepting" traffic on a router. This is usuallydone with the iptables REDIRECT target; however, there are seriouslimitations of that method. One of the major issues is that itactually modifies the packets to change the destination address --which might not be acceptable in certain situations. (Think ofproxying UDP for example: you won"t be able to find out theoriginal destination address. Even in case of TCPgetting theoriginal destination address is racy.) The "TPROXY" target providessimilar functionality without relying on NAT. Simply add rules likethis to the iptables ruleset above: # iptables -t mangle -APREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1--on-port 50080 Note that for this to work you"ll have to modifythe proxy to enable (SOL_IP, IP_TRANSPARENT) for the listeningsocket. 3. Iptables extensions ====================== To use tproxyyou"ll need to have the "socket" and "TPROXY" modules compiled foriptables. A patched version of iptables is available here:http://git.balabit.hu/?p=bazsi/iptables-tproxy.git 4.Application support ====================== 4.1. Squid ----------Squid 3.HEAD has support built-in. To use it,pass"--enable-linux-netfilter" to configure and set the "tproxy"option on the HTTP listener you redirect traffic to with the TPROXYiptables target. For more information please consult the followingpage on the Squid wiki:http://wiki.squid-/Features/Tproxy4
如果觉得《tproxy实现透明代理》对你有帮助,请点赞、收藏,并留下你的观点哦!
