13 Jul
2006
13 Jul
'06
7:08 p.m.
REDIRECT functionality does work upstream, but TCP source address spoofing can only be achieved with iptables SNAT.
SNAT in -t nat -A OUTPUT does not seem to work AFAICR, so you need at least two boxes to implement the SNAT, right?
We do it in POSTROUTING and that seems to work fine?
Oh ok. But on the machine where Squid runs (read: my case), the packets squid generates go on OUTPUT. That's why I think you need a second machine: one where packets can possibly go through POSTROUTING.
Packets that go through OUTPUT also go through POSTROUTING, don't they?
If they don't, then the setup that I have here cannot possibly work at all :)
Interesting. I wonder if it solves my problem without requiring TPROXY. :) Jan Engelhardt --