[tproxy] tproxy in newer 2.6 kernels

Lennert Buytenhek buytenh at wantstofly.org
Tue Jul 25 21:03:34 CEST 2006


On Tue, Jul 25, 2006 at 09:01:31PM +0200, Balazs Scheidler wrote:

> > > >> Of course, it's not giving the real IP address, but at least some
> > > >> address that remains the same over time.
> > > >
> > > >Sorry, what do you mean by this?
> > > 
> > > Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> > > 192.168.1.1     0.0.0.0         255.255.255.0   U     0      0      0   eth1
> > > 192.168.2.1     0.0.0.0         255.255.255.0   U     0      0      0   eth2
> > > 0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0      0   eth1
> > > 
> > > iptables -t nat -A POSTROUTING -i eth2 -o eth1 \
> > > 	-j NETMAP --to-dest 192.168.1.0/24
> > > iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth1 -m owner \
> > > 	--uid-owner squid -j SNAT --to-source 192.168.1.2-192.168.1.254
> > > 
> > > The latter... it does not SNAT to the "real" address (i.e. 192.168.2.123 
> > > might get 192.168.1.240 instead of 192.168.1.123), but it suffices.
> > 
> > Ah, hm, right.  Note that the code I posted inserts an SNAT rule every
> > single time a connection is made, so it does let you keep your original
> > source address.  (But it needs some app hacking.)
> 
> And AFAIK iptables has trouble updating large tables, so it only works
> for a limited number of rules. And packet processing probably stalls
> while the table is being updated.

It only concerns the nat table, which is totally empty otherwise in our
case.  SNAT rules are kept only until the connection succeeds.


cheers,
Lennert


More information about the tproxy mailing list