Firewall Wizards mailing list archives
Re: Transparent proxy
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Tue, 22 Jun 1999 14:18:27 -0400
Do you know how is implemented one transparent proxy? How do it work?
Usually it's done by whacking the bottom of ip_input.c. (on *BSD) You modify the lines that check to see if a packet is destined for the host, and make them accept _all_ traffic as if it's destined to the host. That means that any packets routing through the host will "wake up" a proxy. So "telnet mit.edu" will actually get caught exactly the same as if you had typed "telnet firewall" Once the proxy's started up, it does a downcall into the IP layer to see what address the client connection _thinks_ it sent the packets to. The proxy then automatically connects to that address and port pair. This is usually done by adding a new system call that pulls the value out of a socket; it's about an hour's work. The only tricky part is a few protocols like FTP. In those cases, the proxy needs to get the kernel to lie about the IP source address of the callback connections, or they will look to the client like they came from a different machine. That's usually done by adding another new system call that lets you stamp an arbitrary source IP address onto a socket. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Transparent proxy Marcelo Barbosa Lima (Jun 22)
- Re: Transparent proxy Marcus J. Ranum (Jun 22)