[Gllug] how to check for a transparent proxy

itsbruce at uklinux.net itsbruce at uklinux.net
Tue Dec 3 18:28:16 UTC 2002 

On Tue, Dec 03, 2002 at 05:02:13PM +0000, Bernard Peek wrote:
> In message <20021203100528.GC18219 at phaistos.bruce>, Bruce Richardson 
> <itsbruce at uklinux.net> writes
> 
> 
> I would have though that this was counter-productive. The intention is 
> to get all of the web-servers to send their traffic to the proxy-server 
> so that it could be cached. Giving a different machine's IP address 
> would direct traffic away from the proxy.
> 
> Or am I missing something?

You are.  For a transparent proxy to work in the first place, the http
packets being sent out to the web have to be redirected to the local
proxy.  This is usually done by having the proxy software installed on a
gateway box, so that all outbound traffic goes throug it anyway.

Normally, the proxy then makes a standard connection to the web server
(if the data isn't already cached), receives a reply and passes that
back to the client, the source header being rewritten to match that of
the remote server.

Now, what has been suggested is an extra rewrite on the way out of the
gateway box, so that the ip packets sent from the proxy application on
the gateway box to the remote webserver have the source header rewritten
to contain the ip address of the original client machine.  The
connection would have to be monitored so that any response from the
remote server would then have to be redirected to the proxy.  This would
render the proxy completely invisible, neither client nor remote server
aware of it.

This is theoretically feasible - iptables is a stateful ip filtering
system - but Squid (if you were going to use it) would have to be
rewritten.  This is why:

1.  Local client A starts http connection to www.linux.co.uk
2.  Local client B starts http connection to www.linux.co.uk
3.  Gateway box redirects those connections to Squid.
4.  Squid starts a connection to www.linux.co.uk

Now, how does iptables know which ip address, that of client A or client
B, to use when rewriting the source address?  Answer: it doesn't.  You
need closer integration between the proxy and the ip filtering layer.
This is possible - the 2.4 kernel allows for user-space ip filtering
software.  

-- 
Bruce

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list