TPROXY

This page is dedicated to our efforts of creating a transparent proxy solution portable accross several operating systems.

What does the term ‘proxy’ mean?

A proxy is a server-like program, receiving requests from clients, forwarding those requests to the real server on behalf of the user, and returning the response as it arrives.

Proxies read and parse the application protocol, and reject invalid traffic. So using proxies on a firewall to mediate requests means higher level of security, than packet filtering firewalls.

Simple, non-transparent proxying is somewhat difficult to manage and administer since each client program must be set up to use proxies.

What is transparent proxying?

To simplify management tasks of clients sitting behind proxy firewalls, the technique ‘transparent proxying’ was invented. Transparent proxying means that the presence of the proxy is invisible to the user. Transparent proxying however requires kernel support.

What are all the packet filter packages lacking?

Real transparent proxying requires the following three features from the IP stack of the computer it is running on:

  1. Redirect sessions destined to the outer network to a local process using a packet filter rule.
  2. Make it possible for a process to listen to connections on a foreign address.
  3. Make it possible for a process to initiate a connection with a foreign address as a source.

Item #1 is usually provided by packet filtering packages like Netfilter/IPTables, IPFilter.

All three were provided in Linux kernels 2.2.x, but support for this was removed.

Mailing list

A mailing list has been created for TPROXY related discussions. You can find it at https://lists.balabit.hu/mailman/listinfo/tproxy.

Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser