Linux에서 IPv6 트래픽에 대한 투명 프록시

Question

네트워크를 유지할 때는 투명한 프록시를 실행하는 것이 종종 편리한 일입니다. 투명한 프록시라는 것은 '납치'연결을 '납치'하고 로컬 서비스를 통해 실행하는 대리를 의미합니다. 특히 포트 80에 전달 된 모든 TCP/IP 연결이 오징어로 프록시되도록 오징어로 구성된 Linux 방화벽을 실행합니다.

이것은 IPv4를 사용하여 iptables 'nat'테이블을 사용하여 달성됩니다.

그러나 IPv6의 iptables에는 'nat'테이블이 없으므로 동일한 구현을 사용할 수 없습니다. IPv6 연결을 위해 트래픽을 투명하게 프록시하는 데 사용할 수있는 기술은 무엇입니까?

Answer 1

A viable way to do this is with the TPROXY rule in iptables, documentation is available here:

• http://wiki.squid-cache.org/Features/Tproxy4#IPv6_Support
• http://www.mjmwired.net/kernel/Documentation/networking/tproxy.txt

This should be supported Squid (>= version 3.2). Using --enable-linux-netfilter and the iptables -t mangle -j TPROXY rule.

Answer 2

iptables has a QUEUE target, which you can use to deliver packets to userspace. I am not sure, but perhaps something could be implemented there.

Past that, you could take a stab at adding something to the kernel to do redirection.

Answer 3

You can't. Quoting from squid-cache.org:

NAT simply does not exist in IPv6. By Design.

Given that transparency/interception is actually a feature gained by secretly twisting NAT routes inside out and back on themselves. It's quite logical that a protocol without NAT cannot do transparency and interception that way.

Answer 4

Here's an implementation:

http://www.suse.de/~krahmer/ip6nat/

Answer 5

Another sort of ugly hack:

• MARK all traffic with iptables (seems, there is CONNMARK target for IPv6)
• route all marked traffic to tun device
• do user-space NAT in the daemon listening at tun device
• ...

Answer 6

Write your own implementation of NAT in IPv6 stack.