Re: transparent proxy

From: Joe Abley <>
Date: Fri, 3 Jul 1998 00:43:48 +1200 (NZST)

On Thu, 2 Jul 1998, Evren Yurtesen wrote:

> what do you mean by a host which is capable of receiving traffic
> destinated to another? I set up my proxy server to port 80
> so just redirecting the next hop to be my proxy is not enough?

A browser attempts to open a TCP connection to port 80 of some server in
the world. The first datagram of the three-way TCP handshake, SYN bit set,
flies off through your network. Your router policy-routes this towards
your proxy box.

Your proxy will receive the layer-2 frame because the policy router
will have redirected it to your proxy's MAC-layer (e.g. ethernet) address.
If your proxy is connected to a network without layer-2 addressing, it
more than likely will arrive down a dedicated point-to-point circuit or
virtual circuit.

Since the destination IP address specified in the IP header encapsulated
within that frame will invariably not correspond to a local proxy address,
one of two things will happen:

(a) the proxy will dump the packet, possibly sending back an ICMP host
unreachable message

(b) if the proxy is configured to forward datagrams (i.e. is a router) it
will forward the packet according to its routing table (again, sending
back an ICMP host/network unreachable if there is no route for the

If (b) sends the packet back through the same router interface, it might
well get policy-routed back again. The packet will shuttle backwards and
forwards, TTL decreasing each time, until the TTL becomes zero and either
the proxy or the router sends back an ICMP "time exceeded in transit"
message to the client.

The behaviour governing (a) and (b) are typically handled by the kernel.
What you need to do for the transparent proxy is fool the kernel into
processing the datagram as if it had a destination address which matched a
local address on the proxy. That way it looks like a perfectly normal
connection from a client to a listening TCP socket (on port 80, in your

The packages that Henrik mentioned are some common (free) approaches;
they run on the proxy and effectively modify the normal behaviour so that
foreign-addressed datagrams are treated as locally-addressed. There are
also devices that will re-map the destination address to something a naked
proxy can handle "in the wire". People on this list seem to have had good
experiences with the Alteon AceSwitch (


> On Wed, 1 Jul 1998, Henrik Nordstrom wrote:
> > Evren Yurtesen wrote:
> >
> > > but then when I try to connect to a site it does not connect!
> > > also when I set my browser to use proxy at at port 80
> > > it works!
> > > what am I doing wrong? I was trying to do transparent proxying...
> >
> > Apart from having a routemap and a properly configured Squid, you also
> > need a host OS capable of receiving traffic destinated for other
> > servers. This can be done with Linux ipfwadm or by using ipfilter on
> > other platforms (see the Squid FAQ for some details).

Joe Abley <>      Tel +64 9 912-4065, Fax +64 9 912-5008
Network Architect, CLEAR Net            
Received on Thu Jul 02 1998 - 05:45:16 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:03 MST