11 Jul
2006
11 Jul
'06
2:35 p.m.
On Tue, Jul 11, 2006 at 02:29:18PM +0200, Jan Engelhardt wrote:
REDIRECT functionality does work upstream, but TCP source address spoofing can only be achieved with iptables SNAT.
SNAT in -t nat -A OUTPUT does not seem to work AFAICR, so you need at least two boxes to implement the SNAT, right?
We do it in POSTROUTING and that seems to work fine?
Oh ok. But on the machine where Squid runs (read: my case), the packets squid generates go on OUTPUT. That's why I think you need a second machine: one where packets can possibly go through POSTROUTING.
Packets that go through OUTPUT also go through POSTROUTING, don't they? If they don't, then the setup that I have here cannot possibly work at all :) cheers, Lennert