Transparent proxy requirement

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Transparent proxy requirement
@ 2014-12-21 10:47 U.Mutlu
  2015-01-05  9:26 ` Eliezer Croitoru
  0 siblings, 1 reply; 4+ messages in thread
From: U.Mutlu @ 2014-12-21 10:47 UTC (permalink / raw)
  To: netfilter

Hi everybody,

I've this scenario:
  internet <--> proxypgm <--> serverpgm

whith these requirements:
  1) only ipv4 is used
  2) protocol is tcp
  3) proxypgm and serverpgm are one the same host (linux with recent kernel)
  4) serverpgm is reachable only thru the proxypgm
  5) serverpgm needs to know the originating ip:port of the client
  6) serverpgm cannot be modified (it does not know of TPROXY or 
IP_TRANSPARENT socket option etc.)
  7) proxypgm needs to be developed (in C/C++)

And now the question:
  Can TPROXY be used for this?

Are there other alternatives? What about doing this with raw sockets?

Thx


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Transparent proxy requirement
  2014-12-21 10:47 Transparent proxy requirement U.Mutlu
@ 2015-01-05  9:26 ` Eliezer Croitoru
  2015-01-07 21:40   ` U.Mutlu
  0 siblings, 1 reply; 4+ messages in thread
From: Eliezer Croitoru @ 2015-01-05  9:26 UTC (permalink / raw)
  To: U.Mutlu, netfilter

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

For the example:
A client from ip 192.168.0.1 tries to access "serverpgm" which is
using an tcp based protocol... and has the IP 192.168.0.2.
Tproxy will not help you since the server needs to understand it and
since the proxypgm might be able to understand it.. still it cannot
pass the connection details to the serverpgm which talks plain TCP and
cannot be modified.

What do you need proxypgm to do? it depends on what you need to do...
Maybe there is some component in the linux kernel which can do what
you need.

Eliezer

On 12/21/2014 12:47 PM, U.Mutlu wrote:
> Hi everybody,
> 
> I've this scenario: internet <--> proxypgm <--> serverpgm
> 
> whith these requirements: 1) only ipv4 is used 2) protocol is tcp 
> 3) proxypgm and serverpgm are one the same host (linux with recent
> kernel) 4) serverpgm is reachable only thru the proxypgm 5)
> serverpgm needs to know the originating ip:port of the client 6)
> serverpgm cannot be modified (it does not know of TPROXY or 
> IP_TRANSPARENT socket option etc.) 7) proxypgm needs to be
> developed (in C/C++)
> 
> And now the question: Can TPROXY be used for this?
> 
> Are there other alternatives? What about doing this with raw
> sockets?
> 
> Thx

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUqlipAAoJENxnfXtQ8ZQUFxoH+wfQ4ItzmrMEnTIeStcKfO6Y
kh+RXEsT9ZgqgVsIl3d6l9rl4i1JgFyg3xNo0N6TT6elSBajtJkCSfxKA3g2/nRy
gR9lA+Ds8jqPnNrvQk8NZoRO/6iwfJSERHbXEJrFre5VWFMvsXCXpwjQXhpIZHqb
0gFSqzMUlSyNoSB30+Xi/sS8FQ09wDLmkp+PHeBkJ2tZQ/CCztjbjS9HZP9J3Ari
jhfUdeevniiPRsT8W561v1+O1yGI625ZpxTwV+It5Us07ekzq16GCCVQEIbPU+UL
tId5PGEh/BJcHVRBULUD1tYThZP7bQYT+0cS16l1rcyilaJEcWxe5i/9hHDr6n0=
=5RwJ
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Transparent proxy requirement
  2015-01-05  9:26 ` Eliezer Croitoru
@ 2015-01-07 21:40   ` U.Mutlu
  2015-01-10 17:37     ` Eliezer Croitoru
  0 siblings, 1 reply; 4+ messages in thread
From: U.Mutlu @ 2015-01-07 21:40 UTC (permalink / raw)
  To: netfilter

Eliezer Croitoru wrote, On 01/05/2015 10:26 AM:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey,
>
> For the example:
> A client from ip 192.168.0.1 tries to access "serverpgm" which is
> using an tcp based protocol... and has the IP 192.168.0.2.
> Tproxy will not help you since the server needs to understand it and
> since the proxypgm might be able to understand it.. still it cannot
> pass the connection details to the serverpgm which talks plain TCP and
> cannot be modified.

Why is it so?
I just want the same functionality every router device does:
it passes the originating ip, even thru NAT, to the serverpgm.

> What do you need proxypgm to do? it depends on what you need to do...
> Maybe there is some component in the linux kernel which can do what
> you need.

I wanted to write the said proxypgm that does a kind of gateway functionality:
it shall accept the connection, analyse the originating ip and the
protocol hdr data, and finally pass the data to the serverpgm;
ie. play a transparent proxy between the internet client and the serverpgm.


>
> Eliezer

> On 12/21/2014 12:47 PM, U.Mutlu wrote:
>> Hi everybody,
>>
>> I've this scenario: internet <--> proxypgm <--> serverpgm
>>
>> whith these requirements: 1) only ipv4 is used 2) protocol is tcp
>> 3) proxypgm and serverpgm are one the same host (linux with recent
>> kernel) 4) serverpgm is reachable only thru the proxypgm 5)
>> serverpgm needs to know the originating ip:port of the client 6)
>> serverpgm cannot be modified (it does not know of TPROXY or
>> IP_TRANSPARENT socket option etc.) 7) proxypgm needs to be
>> developed (in C/C++)
>>
>> And now the question: Can TPROXY be used for this?
>>
>> Are there other alternatives? What about doing this with raw
>> sockets?
>>
>> Thx



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Transparent proxy requirement
  2015-01-07 21:40   ` U.Mutlu
@ 2015-01-10 17:37     ` Eliezer Croitoru
  0 siblings, 0 replies; 4+ messages in thread
From: Eliezer Croitoru @ 2015-01-10 17:37 UTC (permalink / raw)
  To: netfilter; +Cc: U.Mutlu

Hey,

To understand what you are talking about you need to understand the 
specific case you are talking about.
Since the destination software doesn't know a thing about tproxy the 
only way that it can receive a packet would be either a full blown proxy 
between it and the internet.. which would in many case be weird...
Or some other solutions.
If you will do what you seek using two different OS stacks(IE two 
servers) which one is the default GW for the other you would be able to 
do so and there is a way to do it with haproxy if I remember right.

You main issue\demand is that these two pieces of software will sit on 
the same machine.
In this specific case you cannot use tproxy since there are issues with 
that.
You can try.... And see the result your self.
If something was changed in tproxy since the last time I have used and 
analyzed it.. it would be possible.

All The Bests,
Eliezer

On 07/01/2015 23:40, U.Mutlu wrote:
> Eliezer Croitoru wrote, On 01/05/2015 10:26 AM:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hey,
>>
>> For the example:
>> A client from ip 192.168.0.1 tries to access "serverpgm" which is
>> using an tcp based protocol... and has the IP 192.168.0.2.
>> Tproxy will not help you since the server needs to understand it and
>> since the proxypgm might be able to understand it.. still it cannot
>> pass the connection details to the serverpgm which talks plain TCP and
>> cannot be modified.
>
> Why is it so?
> I just want the same functionality every router device does:
> it passes the originating ip, even thru NAT, to the serverpgm.
>
>> What do you need proxypgm to do? it depends on what you need to do...
>> Maybe there is some component in the linux kernel which can do what
>> you need.
>
> I wanted to write the said proxypgm that does a kind of gateway
> functionality:
> it shall accept the connection, analyse the originating ip and the
> protocol hdr data, and finally pass the data to the serverpgm;
> ie. play a transparent proxy between the internet client and the serverpgm.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-01-10 17:37 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-21 10:47 Transparent proxy requirement U.Mutlu
2015-01-05  9:26 ` Eliezer Croitoru
2015-01-07 21:40   ` U.Mutlu
2015-01-10 17:37     ` Eliezer Croitoru

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).