Re: Transparent proxy

["Marcus J. Ranum" <mjr () nfr net>]

> Do you know how is implemented one transparent proxy? How do it work?

Usually it's done by whacking the bottom of ip_input.c.  (on *BSD)
You modify the lines that check to see if a packet is destined
for the host, and make them accept _all_ traffic as if it's
destined to the host. That means that any packets routing through
the host will "wake up" a proxy. So "telnet mit.edu" will actually
get caught exactly the same as if you had typed "telnet firewall"

Once the proxy's started up, it does a downcall into the IP layer
to see what address the client connection _thinks_ it sent the
packets to. The proxy then automatically connects to that address
and port pair. This is usually done by adding a new system call
that pulls the value out of a socket; it's about an hour's work.

The only tricky part is a few protocols like FTP. In those
cases, the proxy needs to get the kernel to lie about the
IP source address of the callback connections, or they will
look to the client like they came from a different machine.
That's usually done by adding another new system call that
lets you stamp an arbitrary source IP address onto a socket.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr