[tproxy] tproxy in newer 2.6 kernels
Jan Engelhardt
jengelh at linux01.gwdg.de
Tue Jul 11 14:29:18 CEST 2006
>
>> > REDIRECT functionality does work upstream, but TCP source address
>> > spoofing can only be achieved with iptables SNAT.
>>
>> SNAT in -t nat -A OUTPUT does not seem to work AFAICR, so you need at
>> least two boxes to implement the SNAT, right?
>
>We do it in POSTROUTING and that seems to work fine?
>
Oh ok. But on the machine where Squid runs (read: my case), the packets
squid generates go on OUTPUT. That's why I think you need a second machine:
one where packets can possibly go through POSTROUTING.
Jan Engelhardt
--
More information about the tproxy
mailing list