[tproxy] tproxy in newer 2.6 kernels
Lennert Buytenhek
buytenh at wantstofly.org
Tue Jul 11 14:35:07 CEST 2006
On Tue, Jul 11, 2006 at 02:29:18PM +0200, Jan Engelhardt wrote:
> >> > REDIRECT functionality does work upstream, but TCP source address
> >> > spoofing can only be achieved with iptables SNAT.
> >>
> >> SNAT in -t nat -A OUTPUT does not seem to work AFAICR, so you need at
> >> least two boxes to implement the SNAT, right?
> >
> >We do it in POSTROUTING and that seems to work fine?
>
> Oh ok. But on the machine where Squid runs (read: my case), the
> packets squid generates go on OUTPUT. That's why I think you need a
> second machine: one where packets can possibly go through POSTROUTING.
Packets that go through OUTPUT also go through POSTROUTING, don't they?
If they don't, then the setup that I have here cannot possibly work
at all :)
cheers,
Lennert
More information about the tproxy
mailing list