So I had this need a while back to transparently intercept some traffic running through my home network, scan/cache/rewrite it in-flight and then deliver it to the original destination as if nothing happened. Hey, its the classic man-in-the-middle and was the only way to get both ends of the connection to "co-operate". Thus my initial foray into the world of Linux's transparent proxy support (TPROXY).

The very first requirement, establishing the outgoing leg while impersonating as the source endpoint. That was worked out with some help from brother Illuminatus see here.

That done, the next step is to acquire/intercept/hijack the incoming connection. That solution was devised with Linux bridging and netfilter. ebtables redirects the traffic into the bridge itself and iptables redirects it to my Perl application using the TPROXY target in the mangle table.

Now the incoming connection arrives in Perl - via a listening IO::Socket::INET - with the original source and destination addresses and ports intact. Once the connection is accepted, a second connection is opened to the actual target impersonating as the real source.
I used Socket for this as IO::Socket::INET does not provide any easy means of setting the IP_TRANSPARENT socket option at the SOL_IP level *before* binding and making the outgoing connection.

With both connections ready, all that is left is to read from one and write to the other and vice versa until either connection is closed at which point the other is closed.

That describe the entire process, however you might need to change a couple of things at various stages to better fit your needs, the proxied protocols and traffic flows.

These include:

• the use of worker threads on accept to allow your proxy process more than one connection simultaneously,
• the choice of blocking or non-blocking IO,
• the use of the select (or IO::Select) to find out which sockets are ready for reading or writing and
• the parsing and analysis of the intercepted protocol.

Things to note:

• HTTP::Proxy and such exist, however I did not have the time to make the neccesary changes required for the outbound connection impersonation. Grafting that alteration would make for a very powerful and valuble tool.
• Similarly, the TPROXY changes can be applied to a package that inherits from IO::Socket::INET, maybe called IO::Socket::INET::TPROXY :)
• I have not perfected the read A, write B then read B, write A without blocking, deadlocks, ignoring valid data or closing connections prematurely yet.
• My code will be added in a subsequent reply, after I have worked out most of the kinks.

Thanks for reading.