With the tproxy server as given in my scenario, I have a lot of flexibilities:<br>1. The high-end caching (tproxy) server can offer thro&#39;put advantages.<br>2. Original IP of the clients can be retained thro&#39; tproxy support<br>
3. Another IP based traffic identification/metering mechanism can sit between comp/tunneling-agent2 and the web server and monitor the traffic.<br><br>whereas in the conventional scenario suggested by you, point # 2 and # 3 would fail.<br>
<br>Tproxy4 socket is not a secure tunnel like that of IPSec to prevent DNATs from happening.<br><br>IMHO, I feel that the tproxy-local DNAT issue is a kind of restriction in the name of a new feature.<br><br><br><br><div class="gmail_quote">
2008/12/16 Balazs Scheidler <span dir="ltr">&lt;<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>&gt;</span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="Wj3C7c">On Tue, 2008-12-16 at 10:46 +0530, Arun Srinivasan wrote:<br>
&gt; Hi,<br>
&gt;<br>
&gt; Balazs comment 1:<br>
&gt; &quot;You cannot use DNAT and tproxy on the same connection. What do you<br>
&gt; want<br>
&gt; to achieve?&quot;<br>
&gt;<br>
&gt; This is a common scenario. Say you have an intermediate compression<br>
&gt; agent/tunneling agent between the tproxy server and the web server as<br>
&gt; shown below:<br>
&gt;<br>
&gt; Client &lt;--------&gt; tproxy server &lt;---------&gt; compression/tunneling<br>
&gt; agent1 &lt;=============&gt; compression/tunneling agent2<br>
&gt; &lt;------------------&gt; web server<br>
&gt;<br>
&gt; In this case, the output from the tproxy server has to be DNATted or<br>
&gt; policy routed to the compression/tunneling agent. Policy routing is<br>
&gt; possible if the compression/tunneling agent lies outside the box. In<br>
&gt; case, if it runs as another process along with the tproxy server, DNAT<br>
&gt; is the only option, AFAIK.<br>
&gt;<br>
&gt; Balazs comment 2:<br>
&gt; &quot;If you want to change the target address of the server side<br>
&gt; connection,<br>
&gt; why don&#39;t you DNAT the server connection? That should work.&quot;<br>
&gt;<br>
&gt; Not able to understand what you exactly mean by &quot;DNAT the server<br>
&gt; connection&quot;.<br>
&gt;<br>
&gt; If my understanding is correct, Tproxy association is only for the<br>
&gt; socket created between client and the tproxy server. If that is the<br>
&gt; case, why does socket match failure happen for the socket created<br>
&gt; between tproxy server and DNAT server?<br>
<br>
</div></div>No, tproxy _may_ operate for both the client-&gt;tproxy and the<br>
tproxy-&gt;server connections, not just between client &amp; tproxy.<br>
<br>
However, you&#39;re right that tproxy does not support redirecting the<br>
traffic if the upstream for tproxy is running on the same box, the<br>
reason is simple, tproxy also uses routing to direct traffic to a local<br>
process, and it is not currently possible to divert outgoing traffic<br>
back to the input interface. but never mind.<br>
<br>
So in the scenario above, what is the added value of using &quot;tproxy&quot;<br>
instead of plain, simple NAT.<br>
<br>
client -&gt; REDIRECT in nat/PREROUTING -&gt; proxy1 -&gt; DNAT in nat/OUTPUT -&gt;<br>
<div class="Ih2E3d">compression/tunneling agent1 &lt;-&gt; compression/tunneling agent2 -&gt;<br>
</div>webserver<br></blockquote><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
the added value of tproxy over using NAT is increased performance (no<br>
NAT is required) and solving the problems related to the conntrack table<br>
and local IP stack state to get out of sync.<br>
<font color="#888888"><br>
<br>
<br>
--<br>
Bazsi<br>
<br>
<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Regards,<br>Arun S.<br>