[tproxy] tproxy in newer 2.6 kernels

Jan Engelhardt jengelh at linux01.gwdg.de
Thu Jul 13 20:08:24 CEST 2006

>> >> > REDIRECT functionality does work upstream, but TCP source address
>> >> > spoofing can only be achieved with iptables SNAT.
>> >> 
>> >> SNAT in -t nat -A OUTPUT does not seem to work AFAICR, so you need at
>> >> least two boxes to implement the SNAT, right?
>> >
>> >We do it in POSTROUTING and that seems to work fine?
>> Oh ok. But on the machine where Squid runs (read: my case), the
>> packets squid generates go on OUTPUT. That's why I think you need a
>> second machine: one where packets can possibly go through POSTROUTING.
>Packets that go through OUTPUT also go through POSTROUTING, don't they?
>If they don't, then the setup that I have here cannot possibly work
>at all :)
Interesting. I wonder if it solves my problem without requiring TPROXY. :)

Jan Engelhardt

More information about the tproxy mailing list