TPROXY

This page is dedicated to our efforts of creating a transparent proxy solution portable accross several operating systems.

What does the term 'proxy' mean?

A proxy is a server-like program, receiving requests from clients, forwarding those requests to the real server on behalf of the user, and returning the response as it arrives.

Proxies read and parse the application protocol, and reject invalid traffic. So using proxies on a firewall to mediate requests means higher level of security, than packet filtering firewalls.

Simple, non-transparent proxying is somewhat difficult to manage and administer since each client program must be set up to use proxies.

What is transparent proxying?

To simplify management tasks of clients sitting behind proxy firewalls, the technique 'transparent proxying' was invented. Transparent proxying means that the presence of the proxy is invisible to the user. Transparent proxying however requires kernel support.

What are all the packet filter packages lacking?

Real transparent proxying requires the following three features from the IP stack of the computer it is running on:

  1. Redirect sessions destined to the outer network to a local process using a packet filter rule.
  2. Make it possible for a process to listen to connections on a foreign address.
  3. Make it possible for a process to initiate a connection with a foreign address as a source.

Item #1 is usually provided by packet filtering packages like Netfilter/IPTables, IPFilter.

All three were provided in Linux kernels 2.2.x, but support for this was removed.

Documentation

For more detailed introduction to TPROXY and its features, please read the README file.

Download

You can download our patches released under the terms of the GNU GPL by following this link.

Mailing list

A mailing list has been created for TPROXY related discussions. You can find it at https://lists.balabit.hu/mailman/listinfo/tproxy.