A transparent proxy is when you grab a certain type of traffic at your gateway or router and send it through a proxy without the knowledge of the user or client. Here's a simple description of how to use ClamSMTP as a transparent proxy to do virus checking on SMTP traffic going in or out of your network.
You should already be familiar with routing and network administration. Those topics are not touched on here.
Note that certain features of SMTP are disabled when going through clamsmtpd, most notably SSL/TLS. Authentication does however work. Transparent proxying has only been tested in recent versions of FreeBSD (using ipfw) and Linux (using iptables).
This setup assumes the clamsmtpd proxy is running on the same machine as the gateway. Running it on a different machine is possible, but more complicated to setup.
Your kernel needs support for ipfw. You can either load this as a kernel module by executing the following:
# kldload ipfw.ko
Or you can build it into your kernel by adding the following lines to your kernel config file. See the FreeBSD Handbook for info on how to build a kernel. Make sure to install and reboot with the new kernel before proceeding.
IPFIREWALL IPFIREWALL_FORWARD
Make sure IP forwarding (routing) is turned on. It probably already is as transparent proxying happens on a router.
Run the following command. It adds a line to your firewall to route traffic to clamsmtpd.
# ipfw add 100 fwd 127.0.0.1,10025 tcp from not me to any 25
If your kernel does not contain transparent proxy support you need to recompile your kernel with the following options. Recompling your linux kernel is beyond the scope of this document. You can find many tutorials on the subject online. After rebuilding and installing your new kernel make sure to reboot.
* Under General Setup o Networking support o Sysctl support * Under Networking Options o Network packet filtering o TCP/IP networking o Fast switching: *NO* * Under Networking Options -> IP: Netfilter Configuration o Connection tracking o IP tables support o Full NAT o REDIRECT target support * Under File Systems o /proc filesystem support
Make sure IP forwarding (routing) is turned on. It probably already is as transparent proxying happens on a router.
Run the following command and add it to your boot scripts. Make sure to substitute your NIC name in the command below:
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 10025