Transparent Proxy for IPv6 traffic under Linux
Question
When maintaining networks, it is often an expedient thing to do to run a transparent proxy. By transparent proxy I mean a proxy that 'hijacks' outgoing connections and runs them through a local service. Specifically I run a linux firewall with squid configured so that all tcp/ip connections fowarded on port 80 are proxied by squid.
This is achived using the iptables 'nat' table, using IPv4.
But iptables for IPv6 does not have a 'nat' table, so I cannot use the same implementation. What is a technique I can use to transparently proxy traffic for IPv6 connections?
Solution
A viable way to do this is with the TPROXY rule in iptables, documentation is available here:
- http://wiki.squid-cache.org/Features/Tproxy4#IPv6_Support
- http://www.mjmwired.net/kernel/Documentation/networking/tproxy.txt
This should be supported Squid (>= version 3.2). Using --enable-linux-netfilter
and the iptables -t mangle -j TPROXY
rule.
OTHER TIPS
iptables has a QUEUE target, which you can use to deliver packets to userspace. I am not sure, but perhaps something could be implemented there.
Past that, you could take a stab at adding something to the kernel to do redirection.
You can't. Quoting from squid-cache.org:
NAT simply does not exist in IPv6. By Design.
Given that transparency/interception is actually a feature gained by secretly twisting NAT routes inside out and back on themselves. It's quite logical that a protocol without NAT cannot do transparency and interception that way.
Here's an implementation:
Another sort of ugly hack:
- MARK all traffic with iptables (seems, there is CONNMARK target for IPv6)
- route all marked traffic to tun device
- do user-space NAT in the daemon listening at tun device
- ...
Write your own implementation of NAT in IPv6 stack.