tags:

views:

1071

answers:

6

When maintaining networks, it is often an expedient thing to do to run a transparent proxy. By transparent proxy I mean a proxy that 'hijacks' outgoing connections and runs them through a local service. Specifically I run a linux firewall with squid configured so that all tcp/ip connections fowarded on port 80 are proxied by squid.

This is achived using the iptables 'nat' table, using IPv4.

But iptables for IPv6 does not have a 'nat' table, so I cannot use the same implementation. What is a technique I can use to transparently proxy traffic for IPv6 connections?

A: 

iptables has a QUEUE target, which you can use to deliver packets to userspace. I am not sure, but perhaps something could be implemented there.

Past that, you could take a stab at adding something to the kernel to do redirection.

Zoredache
A: 

Another sort of ugly hack:

  • MARK all traffic with iptables (seems, there is CONNMARK target for IPv6)
  • route all marked traffic to tun device
  • do user-space NAT in the daemon listening at tun device
  • ...
darkk
Is this actually possible? Any idea where I'd start with a tun implementation with ipv6 support?
Jerub
IMHO, it SHOULD be possible. Linux tun/tap driver seems to support IPv6. Try tap driver (virtual ethernet) instead of tun if I'm wrong and IPv6 is not supported.I don't know what may be done with iptables `QUEUE`, but tun-based solution should work, though it may be unsuitable for highload.
darkk
+2  A: 

You can't. Quoting from squid-cache.org:

NAT simply does not exist in IPv6. By Design.

Given that transparency/interception is actually a feature gained by secretly twisting NAT routes inside out and back on themselves. It's quite logical that a protocol without NAT cannot do transparency and interception that way.

innaM
A: 

Write your own implementation of NAT in IPv6 stack:)

softly.lt
that is just lol
divinci
+2  A: 

Here's an implementation:

http://www.suse.de/~krahmer/ip6nat/

dwcarder
+2  A: 

A viable way to do this is with the TPROXY rule in iptables, documentation is available here:

This should be supported in the as-yet unreleased Squid-3.2. Using --enable-linux-netfilter and the iptables -t mangle -j TPROXY rule.

Jerub