|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
IP transparent proxies (source).
Steve Kann (stevek
SteveK.COM)
Tue, 4 Nov 1997 12:56:57 -0500
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Neil Ratzlaff: "FW-1 load balancing"
- Previous message: Chad Schieken: "Re: FW-1 load balancing is unbalanced"
- Next in thread: -= ArkanoiD =-: "Re: IP transparent proxies (source)."
- Reply: -= ArkanoiD =-: "Re: IP transparent proxies (source)."
- Reply: Magossa'nyi A'rpa'd: "Re: IP transparent proxies (source)."
Linux Firewallers,
I've been building a firewall based on Linux, and I'd like to
share a couple of neat little things that I've done. They're not
commercial-quality or anything, but they're pretty slick, and do their
job well.
I've been really interested in IP_TRANSPARENT_PROXY stuff, and
have made two tools that are really useful for taking advantage of it.
The first is tplug-gw, which is based on the fwtk plug-gw, and can
transparently proxy tcp connections. You can then choose via linux'
filtering rules which connections you'd like proxied. Doing this,
instead of simple packet filtering lets you have better logging, stops
TCP OOB attacks, fragmentation attacks, etc. I'm not including the
source here yet, because I'm not sure if I'm allowed to redistribute it,
according to the fwtk license. I might just re-write it from scratch,
as it isn't too complicated, and then it could be released without
problems.
The second tool, which I'm attaching to the message, is an
apache module called mod_tproxy, which sits in front of the regular
apache proxy module. When it gets a request, it looks to see if the
local address is the current machine or if the connection has been
redirected by IP_TRANSPARENT_PROXY. If it's a redirect, it re-writes
the request URI to be in fully-qualified http://host[:port]/file form,
and then passes it up to the proxy module. In this way, one can
transparently insert a proxy into a network, without requiring explicit
proxy support from the clients, or having to perform any special
configuration. It seems to work surprisingly well for me. It's pretty
raw right now, but useful nonetheless.
Anyways, please let me know if anyone has any comments.
-SteveK
--
Steve Kann i/o 360 digital design 841 Broadway, Suite 502
Personal:stevekSteveK.COM (finger for PGP) Business:stevekio360.com
I don't want your product or service, and I don't want to make money fast,
so please don't send me your junk mail telling me about any of it.
/* ====================================================================
* Copyright (c) 1995-1997 The Apache Group. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* 4. The names "Apache Server" and "Apache Group" must not be used to
* endorse or promote products derived from this software without
* prior written permission.
*
* 5. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Group and was originally based
* on public domain software written at the National Center for
* Supercomputing Applications, University of Illinois, Urbana-Champaign.
* For more information on the Apache Group and the Apache HTTP server
* project, please see <http://www.apache.org/>.
*
*/
/*
* "Transparent Proxy" Module.
* 1997 Steve Kann <SteveKstevek.com>
* This module is designed to be used in conjunction with Linux'
* IP TRANSPARENT PROXY firewalling, or any similar system on another
* operating system. Transparent Proxying redirects tcp connections
* destined for a foreign host to a local port. A local server can then accept
* the connection, and act as a proxy. getsockname will reveal the original
* destination host.
* It should be used with a Ipfwadm command like:
* ipfwadm -I -S "your-network" -D 0.0.0.0/0 80 -a accept -P tcp -r 8080
* Where 8080, in this example is the port you're running apache on.
*
*/
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_main.h"
#include "http_protocol.h"
#include "util_script.h"
#include <stdio.h>
/*--------------------------------------------------------------------------*/
/* */
/* Data declarations. */
/* */
/* Here are the static cells and structure declarations private to our */
/* module. */
/* */
/*--------------------------------------------------------------------------*/
/*
* Declare ourselves so the configuration routines can find and know us.
* We'll fill it in at the end of the module.
*/
module tproxy_module;
/*
* This routine gives our module an opportunity to translate the URI into an
* actual filename. If we don't do anything special, the server's default
* rules (Alias directives and the like) will continue to be followed.
*
* The return value is OK, DECLINED, or HTTP_mumble. If we return OK, no
* further modules are called for this phase.
*/
static int tproxy_translate_handler(request_rec *r)
{
struct sockaddr_in local_addr;
char * uri;
char * host;
char buf[256];
local_addr = r->connection->local_addr;
/* XXX - this will cause us to not do this stuff for connections
really destined for this server. It should really also check
to make sure the address isn't a valid local address as well.
*/
if(ntohs(local_addr.sin_port) == r->server->port)
return DECLINED;
#ifdef DEBUG
fprintf(stderr, "tproxy: XLAT %s -> ", r->uri);
#endif
buf[0]=0;
host = table_get(r->headers_in, "Host");
if(ntohs(local_addr.sin_port) != 80)
sprintf(buf,"%d", ntohs(local_addr.sin_port));
/* construct the proxy URI:
* we use the hostname in the Host: line if we can, so we
* use the cache more effectively (or else Round-robin DNS
* would defeat the cache somewhat).
*/
r->uri = pstrcat(r->pool, "http://",
host ? host : inet_ntoa(local_addr.sin_addr),
buf[0] ? ":" : "", buf, r->uri,
r->path_info ? r->path_info : "",
r->args ? "?" : NULL, r->args,
NULL);
/* now make sure the request gets handled by the proxy handler */
r->proxyreq = 1;
r->handler = "proxy-server";
fprintf(stderr, "%s\n", r->uri);
return DECLINED;
}
/* */
/* All of the routines have been declared now. Here's the list of */
/* directives specific to our module, and information about where they */
/* may appear and how the command parser should pass them to us for */
/* processing. Note that care must be taken to ensure that there are NO */
/* collisions of directive names between modules. */
/* */
/*--------------------------------------------------------------------------*/
/*
* List of directives specific to our module.
*/
command_rec tproxy_cmds[] =
{
{NULL}
};
handler_rec example_handlers[] =
{
{NULL}
};
/*--------------------------------------------------------------------------*/
/* */
/* Finally, the list of callback routines and data structures that */
/* provide the hooks into our module from the other parts of the server. */
/* */
/*--------------------------------------------------------------------------*/
/*
* Module definition for configuration. If a particular callback is not
* needed, replace its routine name below with the word NULL.
*
* The number in brackets indicates the order in which the routine is called
* during request processing. Note that not all routines are necessarily
* called (such as if a resource doesn't have access restrictions).
*/
module tproxy_module =
{
STANDARD_MODULE_STUFF,
NULL, /* module initializer */
NULL, /* per-directory config creator */
NULL, /* dir config merger */
NULL, /* server config creator */
NULL, /* server config merger */
NULL, /* command table */
NULL, /* [7] list of handlers */
tproxy_translate_handler, /* [2] filename-to-URI translation */
NULL, /* [5] check/validate user_id */
NULL, /* [6] check user_id is valid *here* */
NULL, /* [4] check access by host address */
NULL, /* [7] MIME type checker/setter */
NULL, /* [8] fixups */
NULL, /* [10] logger */
NULL, /* [3] header parser */
NULL, /* process initializer */
NULL, /* process exit/cleanup */
NULL /* [1] post read_request handling */
};
- Next message: Neil Ratzlaff: "FW-1 load balancing"
- Previous message: Chad Schieken: "Re: FW-1 load balancing is unbalanced"
- Next in thread: -= ArkanoiD =-: "Re: IP transparent proxies (source)."
- Reply: -= ArkanoiD =-: "Re: IP transparent proxies (source)."
- Reply: Magossa'nyi A'rpa'd: "Re: IP transparent proxies (source)."
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:09:48 CDT