Re: [masq] Transparency proxying

Sun, 29 Nov 1998 12:42:05 -0500 

Hongsheng Zhu <[EMAIL PROTECTED]> wrote:
>
> I've configured my Linux box to support IP masquerade, now I'd like to
> have it support transparentcy proxying, does anybody know how to do
> this ?

You mean, beyond compiling with that kernel option enabled?

Well, transparent proxying is something I've never delved into, but it
doesn't seem to be all that difficult, on the surface.  What is it
exactly you want to do?

As near as I can tell, you enable transparent proxying in the kernel,
then you have the ability to use the "-r" option to ipfwadm:

       -r [port]
              Redirect  packets  to  a  local  socket.  When this
              option is set, packets accepted by this  rule  will
              be  redirected to a local socket, even if they were
              sent to a remote host.  If the  specified  redirec-
              tion  port  is  0,  which is the default value, the
              destination port of a packet will be  used  as  the
              redirection  port.   This  option  is only valid in
              input firewall rules with  policy  accept  and  can
              only be used when the Linux kernel is compiled with
              CONFIG_IP_TRANSPARENT_PROXY defined.

So, for instance, you could try redirecting all SMTP traffic out of your
network, and make it talk to your firewall's sendmail daemon, instead,
with a rule like this:

    ipfwadm -F -i accept -S 192.168.1.0/24 -D 0/0 25 -r

So, whenever a machine behind the firewall tries to connect to some
external SMTP daemon (for whatever reason), it will instead end up
talking to whatever is listening on port 25 on the firewall machine,
which is probably your local sendmail daemon.

You could probably use this to redirect web traffic, as well, but you
might have to write a simple program to make it happen.  There's
probably not a lot of people playing with this.  But, if you did write
such a program, it could make use of getsockname() and getpeername()
system calls to find out where the connection came from, and where it
was intended to connect to, and react accordingly.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)      || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/      ||                       -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Reply via email to