Linux Networking/IP Transparent Proxy

IP Transparent ProxyEdit

IP transparent proxy is a feature that enables you to redirect servers or services destined for another machine to those services on this machine. Typically this would be useful where you have a linux machine as a router and also provides a proxy server. You would redirect all connections destined for that service remotely to the local proxy server.

Kernel Compile Options:


            Code maturity level options  --->
                    [*] Prompt for development and/or incomplete code/drivers
            Networking options  --->
                    [*] Network firewalls
                    ....
                    [*] TCP/IP networking
                    ....
                    [*] IP: firewalling
                    ....
                    [*] IP: transparent proxy support (EXPERIMENTAL)


Configuration of the transparent proxy feature is performed using the ipfwadm command

An example that might be useful is as follows:

            root# ipfwadm -I -a accept -D 0/0 telnet -r 2323

This example will cause any connection attempts to port telnet (23) on any host to be redirected to port 2323 on this host. If you run a service on that port, you could forward telnet connections, log them or do whatever fits your need.

A more interesting example is redirecting all http traffic through a local cache. However, the protocol used by proxy servers is different from native http: where a client connects to www.server.com:80 and asks for /path/page, when it connects to the local cache it contacts proxy.local.domain:8080 and asks for www.server.com/path/page.

To filter an http request through the local proxy, you need to adapt the protocol by inserting a small server, called transproxy (you can find it on the world wide web). You can choose to run transproxy on port 8081, and issue this command:

            root# ipfwadm -I -a accept -D 0/0 80 -r 8081

The transproxy program, then, will receive all connections meant to reach external servers and will pass them to the local proxy after fixing protocol differences.

Last modified on 3 January 2010, at 03:39