So I had this need a while back to transparently intercept some traffic running through my home network, scan/cache/rewrite it in-flight and then deliver it to the original destination as if nothing happened. Hey, its the classic man-in-the-middle and was the only way to get both ends of the connection to "co-operate". Thus my initial foray into the world of Linux's transparent proxy support (TPROXY).
The very first requirement, establishing the outgoing leg while impersonating as the source endpoint. That was worked out with some help from brother Illuminatus see here.
That done, the next step is to acquire/intercept/hijack the incoming connection. That solution was devised with Linux bridging and netfilter. ebtables redirects the traffic into the bridge itself and iptables redirects it to my Perl application using the TPROXY target in the mangle table.
Now the incoming connection arrives in Perl - via a listening IO::Socket::INET - with the original source and destination addresses and ports intact. Once the connection is accepted, a second connection is opened to the actual target impersonating as the real source.
I used Socket for this as IO::Socket::INET does not provide any easy means of setting the IP_TRANSPARENT socket option at the SOL_IP level *before* binding and making the outgoing connection.
With both connections ready, all that is left is to read from one and write to the other and vice versa until either connection is closed at which point the other is closed.
That describe the entire process, however you might need to change a couple of things at various stages to better fit your needs, the proxied protocols and traffic flows.
These include:
- the use of worker threads on accept to allow your proxy process more than one connection simultaneously,
- the choice of blocking or non-blocking IO,
- the use of the select (or IO::Select) to find out which sockets are ready for reading or writing and
- the parsing and analysis of the intercepted protocol.
Things to note:
- HTTP::Proxy and such exist, however I did not have the time to make the neccesary changes required for the outbound connection impersonation. Grafting that alteration would make for a very powerful and valuble tool.
- Similarly, the TPROXY changes can be applied to a package that inherits from IO::Socket::INET, maybe called IO::Socket::INET::TPROXY :)
- I have not perfected the read A, write B then read B, write A without blocking, deadlocks, ignoring valid data or closing connections prematurely yet.
- My code will be added in a subsequent reply, after I have worked out most of the kinks.
Thanks for reading.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.