Transparent proxy which preserves client mac address

Question

I have a customer that wants to intercept SSL traffic as it leaves their network. My proposed solution is to setup a proxy that is transparent and both layer 2 and layer 3 so it can simply be dropped into their network without any change in config required. The proxy has two NICs, one connected to the server, the other to the client. The client, proxy and gateway are under control of the customer, the server is not.

For example:

client --- Proxy --- gateway -|- server

I have my proxy program configured with IP_TRANSPARENT socket option to it can respond to connections destined for a remote IP.

I am using the following setup:

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port 3128 --tproxy-mark 1/1
iptables -t mangle -A PREROUTING -p tcp -j MARK --set-mark 1
ip rule add fwmark 1/1 table 1
ip route add local 0.0.0.0/0 dev lo table 1

The client in question is on its own subnet and has been configured so that the proxy is the default gateway.

The result is:

Client sends a frame to the proxy; source IP is client, source mac is client, destination IP is server, destination mac is proxy
Proxy forwards this frame to the gateway; source IP is proxy, source mac is proxy, destination IP is server, destination mac is gateway
Gateway forwards this to the server and gets a response back.
Gateway sends reply back to proxy; source IP is server, source mac is gateway, destination IP is proxy, destination mac is proxy
Proxy forwards this reply to client; source IP is server, source mac is proxy, destination IP is client, destination mac is client. The tproxy and iptables configuration lets the proxy send packets with a non local ip address.

Is there a way to make something transparent at the mac address level? That is, put the client on the same subnet as the gateway. The gateway sees the source IP and mac as that of the client, even though they originated from the proxy. Could this be done by configuring the proxy as a bridge then use ebtables to escalate the traffic to be handled by iptables?

When I use ebtables to push something up to iptables, it appears my proxy program doesn't respond to the packets as they are destined for the gateways's mac address, not the proxy's.

What are some other potential avenues I could investigate?

EDIT: When the client and gateway are on different subnets (and client has set the proxy as the gateway), it works as described in 1 to 5. But I want to know if it is possible to have the client and gateway on the same subnet and have the proxy fully transparent (ie client is not aware of the proxy). The customer doesn't want to move some clients to a different subnet, they just want a drop in solution. Thanks!

EDIT 2: I can configure the proxy as a bridge using brctl, but cannot find a way to direct this traffic to my proxy program - asked here Possible for linux bridge to intercept traffic?. Currently, with the description numbered 1 to 5, it operates at layer 3; it is transparent on the client side (client thinks it is talking to the server's IP), but not on the gateway side (gateway is talking to the proxy's IP). What I want to find out is, is it possible to make this operate at layer 2, so it is fully transparent? What are the available options I should research? Thanks

EDIT 3: clarified the situation with more detail.

Why do you need to do this? I don't think it can be done. MAC addresses can not cross beyond the local subnet. — Khaled, Aug 30 '12 at 14:11
a network schematic would help alot, what is where and connected to what. — mulaz, Aug 30 '12 at 14:21
@Khaled I want the server to see the request as coming from the client's mac address, not the proxy's mac address I want to do this so it looks like the client and server are talking directly to each other. — A G, Aug 30 '12 at 14:33
"client --- proxy --- server" directly with cables, and two interfaces on the proxy server? or are all those boxes connected to a single switch in a "star" shape? — mulaz, Aug 30 '12 at 14:36
directly with cables; the proxy has two ethernet interfaces, one directly to the client, the other directly to the server. It is a 'bump in the wire' — A G, Aug 30 '12 at 14:37
Just configure the 2nd interface of the proxy with client mac adress? — , Aug 30 '12 at 16:18
If the proxy is a L3 device then how do you expect return traffic to find its way back to the client? The server would see traffic coming from a MAC address that wasn't actually present on its local subnet. If the proxy is an L2 device (i.e. the bump in the wire you mention above) then it shouldn't be changing the MAC address of the packet unless there's some other path between the client and server. — rnxrx, Aug 30 '12 at 18:31
@rnxrx: so currently it is transparent to the client at layer 3; the client thinks it is talking directly to the server, however the server sees the proxy's IP in the source address, not the client. What I want to do is make it a layer two device, as you suggest, but couldn't get that to work (I asked how to make it work at as a layer 2 device here: http://serverfault.com/questions/420046/possible-for-linux-bridge-to-intercept-traffic). So this question was looking for alternatives. Thanks! — A G, Aug 31 '12 at 09:20
There can't be multiple clients, you said it : "directly with cables". Seriously, any switch involved might get silly if MAC adress are dynamically spoofed on the lan. — , Aug 31 '12 at 09:30
@EricDANNIELOU well initially there will only be one client. However ultimately "client" may represent a switch with multiple clients attached. But either way, it wouldn't matter if the proxy was operating at layer two, since it is possible to connect a switch to another layer two device (for example another switch). If I start spoofing MAC addresses, or start defining mac addresses for interfaces, then yes, it will cause issues which is why I don't want to configure the 2nd interfaces of the proxy with client mac addresses. — A G, Aug 31 '12 at 09:39
Why won't a bridged transparent proxy work again? Forgive me it's early here. — gravyface, Aug 31 '12 at 10:41
@gravyface : That describes exactly what I want! I didn't think to use those exact words. What would I need to do to setup a bridged transparent proxy? Or should that be a new serverfault question? Can it be done using bcrtl (for bridging) and ebtables/iptables to direct certain traffic to my proxy program — A G, Aug 31 '12 at 11:06
The best way to achieve would be to not use a proxy - the whole idea of a proxy is that it operates on the client's behalf, if you change the MAC then the reply isn't going to go back via the proxy (at best). Can you tell us what you're trying to achieve, rather than asking how to implement your solution? As an aside, LVS (http://www.linuxvirtualserver.org) comes close to what you're trying to achieve, by creating a load balancing server in front of a service which forwards traffic at layer 2, meaning replies go direct to the client. — James Yale, Aug 31 '12 at 11:36
@A G: I had this setup at some point, but nowhere near that box atm; just Google for "squid transparent bridge proxy". Lots of tutorials. — gravyface, Aug 31 '12 at 11:42
@JamesYale: customer wants an SSL interceptor like the netronome network appliance. They want to have a device that can be placed in their network without having to change configs hence operating at layer two. My proxy program is a man in the middle which intercepts ssl connections, and then initiates a new one on the client's behalf - this enables it to decrypt everything from the client. Of course, the clients will get the certificate error saying the certificates don't match, but the customer's IT policy states their employees have no expectations to privacy when using company IT equipment. — A G, Aug 31 '12 at 13:18
@gravyface: I initially looked at squid for this and had modified it to log the decrypted traffic, but it can only work with http/https traffic, is that correct? The customer needs to be able to decrypt arbitrary traffic and protocols, not just HTTP — A G, Aug 31 '12 at 13:20
You can use whatever you want: eb/iptables is doing all the work. However, you won't see the client MACs "on the other side" because whole point of proxy is to, well, proxy the traffic. Since I'm assuming there's NAT at the gateway anyways, so not sure what you mean by "need to see MAC address of client". The bridge box will, but not the websites, servers, etc. — gravyface, Aug 31 '12 at 14:27
@gravyface I'd want the device after the proxy (for example a router or gateway) to see the client's mac address as the source address, not the proxy's. Of course it will change once it leaves the LAN, but that would happen anyway. I'm trying to make a solution that is as transparent as possible. Do you know if this can be done with ebtables/iptables? I have my other question http://serverfault.com/questions/420046/possible-for-linux-bridge-to-intercept-traffic hasn't gotten any answers yet but not sure what I have done wrong. — A G, Aug 31 '12 at 14:36
The volume of comments on this question is tripping automatic warnings. It's time to roll them all up into the questions and clarify the exact situation. — user9517, Aug 31 '12 at 14:42

score 1 · Answer 1 · answered Aug 31 '12 at 14:15

1

If the machines are on the same subnet the answer is no. Within a subnet, the ethernet protocol delivers the packets from machine to machine, and at the ethernet layer, the MAC address is the true source address, and IP addresses are unknown.

answered Aug 31 '12 at 14:15

Bart B

3,457
6
31
42

When I configure my machine as a bridge with brctl addbr0 brctl addif br0 eth1 brctl addif br0 eth2 ip link set br0 up the mac addresses are preserved since it is operating as a layer 2 bridge. So you're saying it is not possible to have a listener program on this machine modifying the packets as they pass through? For example use ebtables and iptables to intercept this traffic and bring it up to my program. I've had a go, but not sure if I have ebtables and iptables configured correctly. – A G Aug 31 '12 at 14:40

Transparent proxy which preserves client mac address

1 Answers1