The HyperNews Linux KHG Discussion Pages

Feedback: Transparent Proxy

Forum: The Linux Kernel Hackers' Guide
Re: How can I "cheat" and change the IP address (src,dest) in the sent socket? (Rami)
Keywords: ip network address transparent proxy masquerade
Date: Mon, 22 Jun 1998 22:16:01 GMT
From: Zygo Blaxell <>

Linux Transparent proxy support (part of the firewalling stuff) is designed to do exactly this.

There are basically two "halves" to transparent proxy:

  1. You can bind to any address you like, instead of choosing from the addresses of interfaces on the machine.
  2. You can collect SYN packets (generated by clients doing connect) on a port of your choice. You can do a getsockname to find out what address+port number the client thinks it connected to, and there are more fields in the "from" parameter of recvfrom that you can use to find out where a datagram was destined.
So if you want to connect to a server while pretending to have some other IP address, you simply do a bind system call on the socket before connecting. The address you bind to is the address you want to appear to be. This is just like doing a bind with a specific IP address or port number when you want a specific network interface or when you want a port number below 1024 for rcmd-based services, except that now you specify an IP address other than your own.

If you're doing UDP, then you might want to do this with the sendto and recvfrom system calls, in which case the source address is specified in the second 8 bytes of the socket address for the destination address in sendto and vice-versa for the source address in recvfrom.

Put another way, when you do a sendto, you put the destination address in the "to" parameter as usual, but you also put the desired source address (which is not the "usual" one) in the "to" parameter + 8 bytes. Note that you must OR in MSG_PROXY to the flags parameter for sendto/recvfrom.

Note that in order to use any of the transparent proxy features you must be root. Generally this is most useful when the host doing transparent proxy is a gateway or router of some kind, because impersonating host A when connecting to host B will only work if host B will normally try to send packets to host A through your host.