On Tue, Jul 25, 2006 at 09:01:31PM +0200, Balazs Scheidler wrote:
Of course, it's not giving the real IP address, but at least some address that remains the same over time.
Sorry, what do you mean by this?
Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.1 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.1 0.0.0.0 255.255.255.0 U 0 0 0 eth2 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
iptables -t nat -A POSTROUTING -i eth2 -o eth1 \ -j NETMAP --to-dest 192.168.1.0/24 iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth1 -m owner \ --uid-owner squid -j SNAT --to-source 192.168.1.2-192.168.1.254
The latter... it does not SNAT to the "real" address (i.e. 192.168.2.123 might get 192.168.1.240 instead of 192.168.1.123), but it suffices.
Ah, hm, right. Note that the code I posted inserts an SNAT rule every single time a connection is made, so it does let you keep your original source address. (But it needs some app hacking.)
And AFAIK iptables has trouble updating large tables, so it only works for a limited number of rules. And packet processing probably stalls while the table is being updated.
It only concerns the nat table, which is totally empty otherwise in our case. SNAT rules are kept only until the connection succeeds. cheers, Lennert