[tproxy] tproxy in newer 2.6 kernels
Lennert Buytenhek
buytenh at wantstofly.org
Mon Jul 24 00:58:23 CEST 2006
On Sun, Jul 23, 2006 at 05:53:13PM +0200, Jan Engelhardt wrote:
> >> Of course, it's not giving the real IP address, but at least some
> >> address that remains the same over time.
> >
> >Sorry, what do you mean by this?
>
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.1.1 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 192.168.2.1 0.0.0.0 255.255.255.0 U 0 0 0 eth2
> 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
>
> iptables -t nat -A POSTROUTING -i eth2 -o eth1 \
> -j NETMAP --to-dest 192.168.1.0/24
> iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth1 -m owner \
> --uid-owner squid -j SNAT --to-source 192.168.1.2-192.168.1.254
>
> The latter... it does not SNAT to the "real" address (i.e. 192.168.2.123
> might get 192.168.1.240 instead of 192.168.1.123), but it suffices.
Ah, hm, right. Note that the code I posted inserts an SNAT rule every
single time a connection is made, so it does let you keep your original
source address. (But it needs some app hacking.)
cheers,
Lennert
More information about the tproxy
mailing list