[tproxy] tproxy in newer 2.6 kernels

Balazs Scheidler bazsi at balabit.hu
Tue Jul 25 21:01:31 CEST 2006


On Mon, 2006-07-24 at 00:58 +0200, Lennert Buytenhek wrote:
> On Sun, Jul 23, 2006 at 05:53:13PM +0200, Jan Engelhardt wrote:
> 
> > >> Of course, it's not giving the real IP address, but at least some
> > >> address that remains the same over time.
> > >
> > >Sorry, what do you mean by this?
> > 
> > Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> > 192.168.1.1     0.0.0.0         255.255.255.0   U     0      0      0   eth1
> > 192.168.2.1     0.0.0.0         255.255.255.0   U     0      0      0   eth2
> > 0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0      0   eth1
> > 
> > iptables -t nat -A POSTROUTING -i eth2 -o eth1 \
> > 	-j NETMAP --to-dest 192.168.1.0/24
> > iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth1 -m owner \
> > 	--uid-owner squid -j SNAT --to-source 192.168.1.2-192.168.1.254
> > 
> > The latter... it does not SNAT to the "real" address (i.e. 192.168.2.123 
> > might get 192.168.1.240 instead of 192.168.1.123), but it suffices.
> 
> Ah, hm, right.  Note that the code I posted inserts an SNAT rule every
> single time a connection is made, so it does let you keep your original
> source address.  (But it needs some app hacking.)

And AFAIK iptables has trouble updating large tables, so it only works
for a limited number of rules. And packet processing probably stalls
while the table is being updated.

-- 
Bazsi



More information about the tproxy mailing list