11 Jul
2006
11 Jul
'06
1:29 p.m.
REDIRECT functionality does work upstream, but TCP source address spoofing can only be achieved with iptables SNAT.
SNAT in -t nat -A OUTPUT does not seem to work AFAICR, so you need at least two boxes to implement the SNAT, right?
We do it in POSTROUTING and that seems to work fine?
Oh ok. But on the machine where Squid runs (read: my case), the packets squid generates go on OUTPUT. That's why I think you need a second machine: one where packets can possibly go through POSTROUTING. Jan Engelhardt --