tags:

views:

1071

answers:

6
+5  Q: 

Transparent Proxy for IPv6 traffic under Linux

When maintaining networks, it is often an expedient thing to do to run a transparent proxy. By transparent proxy I mean a proxy that 'hijacks' outgoing connections and runs them through a local service. Specifically I run a linux firewall with squid configured so that all tcp/ip connections fowarded on port 80 are proxied by squid.

This is achived using the iptables 'nat' table, using IPv4.

But iptables for IPv6 does not have a 'nat' table, so I cannot use the same implementation. What is a technique I can use to transparently proxy traffic for IPv6 connections?

A: 

iptables has a QUEUE target, which you can use to deliver packets to userspace. I am not sure, but perhaps something could be implemented there.

Past that, you could take a stab at adding something to the kernel to do redirection.

Zoredache  2009-03-09 06:38:53
A: 

Another sort of ugly hack:

  • MARK all traffic with iptables (seems, there is CONNMARK target for IPv6)
  • route all marked traffic to tun device
  • do user-space NAT in the daemon listening at tun device
  • ...
darkk  2009-03-10 18:00:28
Is this actually possible? Any idea where I'd start with a tun implementation with ipv6 support?
Jerub  2009-03-10 23:00:50
IMHO, it SHOULD be possible. Linux tun/tap driver seems to support IPv6. Try tap driver (virtual ethernet) instead of tun if I'm wrong and IPv6 is not supported.I don't know what may be done with iptables `QUEUE`, but tun-based solution should work, though it may be unsuitable for highload.
darkk  2009-03-16 12:52:54
+2  A: 

You can't. Quoting from squid-cache.org:

NAT simply does not exist in IPv6. By Design.

Given that transparency/interception is actually a feature gained by secretly twisting NAT routes inside out and back on themselves. It's quite logical that a protocol without NAT cannot do transparency and interception that way.

innaM  2009-03-25 11:35:16
A: 

Write your own implementation of NAT in IPv6 stack:)

softly.lt  2009-03-25 12:04:23
that is just lol
divinci  2010-03-31 19:41:13
+2  A: 

Here's an implementation:

http://www.suse.de/~krahmer/ip6nat/

dwcarder  2009-06-24 21:06:34
+2  A: 

A viable way to do this is with the TPROXY rule in iptables, documentation is available here:

This should be supported in the as-yet unreleased Squid-3.2. Using --enable-linux-netfilter and the iptables -t mangle -j TPROXY rule.

Jerub  2010-09-09 04:10:05

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?