[tproxy] tproxy in newer 2.6 kernels

Lennert Buytenhek buytenh at wantstofly.org
Mon Jul 24 00:58:23 CEST 2006

On Sun, Jul 23, 2006 at 05:53:13PM +0200, Jan Engelhardt wrote:

> >> Of course, it's not giving the real IP address, but at least some
> >> address that remains the same over time.
> >
> >Sorry, what do you mean by this?
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>   U     0      0      0   eth1
>   U     0      0      0   eth2
>         UG    0      0      0   eth1
> iptables -t nat -A POSTROUTING -i eth2 -o eth1 \
> 	-j NETMAP --to-dest
> iptables -t nat -A POSTROUTING -s -o eth1 -m owner \
> 	--uid-owner squid -j SNAT --to-source
> The latter... it does not SNAT to the "real" address (i.e. 
> might get instead of, but it suffices.

Ah, hm, right.  Note that the code I posted inserts an SNAT rule every
single time a connection is made, so it does let you keep your original
source address.  (But it needs some app hacking.)


More information about the tproxy mailing list