* Re: TProxy, 2.4 Kernel and NetFilter
@ 2004-02-11 19:58 KOVACS Krisztian
0 siblings, 0 replies; 3+ messages in thread
From: KOVACS Krisztian @ 2004-02-11 19:58 UTC (permalink / raw)
To: Jambunathan Kalyanasundaram; +Cc: Henrik Nordstrom, netfilter-devel, netdev
Hi,
On Wed, Feb 11, 2004 at 08:49:33AM +0100, Henrik Nordstrom wrote:
> > 2) But if I am not really interested in the overheads
> > imposed by the NetFilter, the only option is to patch
> > the Linux kernel with Balazs Scheidler's patch.
>
> Not sure this has less overhead.
I'm sure it hasn't. TProxy was never intended to be a "faster redirect",
or something like that. If you do not care about almost full transparent
proxying, you don't need TProxy at all.
The TProxy patch can be used to make the proxy transparent from both
sides: the client sends the packets to the server's IP, and the server
sees packets coming from the client's IP. However, this needs user-space
support in the proxy itself. And Gianni Tedesco's latest TProxy support
patch for Squid is known to be broken...
> > If I don't like something as heavyweight as Netfilter
> > and something that is as "non standard" as patching
> > the kernel, are there any ways out ?
>
> Yes, by configuring the client to use the proxy.
Completely true. This is _the_ way to go if you can set all clients to
use the proxy.
> If it is a normal Internet proxy environment where the number of clients
> are limited, and the proxy supports per-user selection of the outgoing
> address (Squid does) then it is possible with the help of NAT.
>
> 1. Set up as many IP aliases on the proxy server as you have clients. Use
> one of the unassigned networks.
>
> 2. Configure the proxy to use one IP alias per client IP address.
>
> 3. Configure iptables NAT rules in OUTPUT to NAT these IP aliases back to
> the client IP address.
Hmm... What a solution! :)
> If it is a reverse proxy or other environment where the client addresses
> are not limited then this obviously can not be done and you must use the
> tproxy patch.
As I wrote, the patch for Squid would need some fixes before actually
using it... Unfortunately I don't know enough about Squid to be able to
make those fixes.
--
KOVACS Krisztian
^ permalink raw reply [flat|nested] 3+ messages in thread
* TProxy, 2.4 Kernel and NetFilter
@ 2004-02-09 7:56 Jambunathan Kalyanasundaram
2004-02-11 7:49 ` Henrik Nordstrom
0 siblings, 1 reply; 3+ messages in thread
From: Jambunathan Kalyanasundaram @ 2004-02-09 7:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: netdev
( Sorry for posting in two mailing lists at the same
time )
I would like to implement Transparent HTTP Proxy and
I have scoured through your archives for the related
threads. Can someone confirm that my following
understanding is still valid as of date considering
the latest Linux kernel and Netfilter source tree.
1) For packet interception from browser side, the
standard way is to use REDIRECT target of Netfilter.
2) But if I am not really interested in the overheads
imposed by the NetFilter, the only option is to patch
the Linux kernel with Balazs Scheidler's patch.
If I don't like something as heavyweight as Netfilter
and something that is as "non standard" as patching
the kernel, are there any ways out ?
Also are there any existing NetFilter modules that
work on a standard, unpatched kerenel that allow proxy
to talk to the web server as though it's the web
browser ( source address spoofing ) ?
Regards,
Jambunathan K.
___________________________________________________________
BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: TProxy, 2.4 Kernel and NetFilter
2004-02-09 7:56 Jambunathan Kalyanasundaram
@ 2004-02-11 7:49 ` Henrik Nordstrom
0 siblings, 0 replies; 3+ messages in thread
From: Henrik Nordstrom @ 2004-02-11 7:49 UTC (permalink / raw)
To: Jambunathan Kalyanasundaram; +Cc: netfilter-devel, netdev
On Mon, 9 Feb 2004, Jambunathan Kalyanasundaram wrote:
> 2) But if I am not really interested in the overheads
> imposed by the NetFilter, the only option is to patch
> the Linux kernel with Balazs Scheidler's patch.
Not sure this has less overhead.
> If I don't like something as heavyweight as Netfilter
> and something that is as "non standard" as patching
> the kernel, are there any ways out ?
Yes, by configuring the client to use the proxy.
> Also are there any existing NetFilter modules that
> work on a standard, unpatched kerenel that allow proxy
> to talk to the web server as though it's the web
> browser ( source address spoofing ) ?
Depends on your environment and the proxy.
First requirement is that the proxy is running inline on a gateway in the
data path between the webserver and the client. If this is not the case
then forget about it.
If it is a normal Internet proxy environment where the number of clients
are limited, and the proxy supports per-user selection of the outgoing
address (Squid does) then it is possible with the help of NAT.
1. Set up as many IP aliases on the proxy server as you have clients. Use
one of the unassigned networks.
2. Configure the proxy to use one IP alias per client IP address.
3. Configure iptables NAT rules in OUTPUT to NAT these IP aliases back to
the client IP address.
If it is a reverse proxy or other environment where the client addresses
are not limited then this obviously can not be done and you must use the
tproxy patch.
Regards
Henrik
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-02-11 19:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-02-11 19:58 TProxy, 2.4 Kernel and NetFilter KOVACS Krisztian
-- strict thread matches above, loose matches on Subject: below --
2004-02-09 7:56 Jambunathan Kalyanasundaram
2004-02-11 7:49 ` Henrik Nordstrom
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).