[tproxy] tproxy in newer 2.6 kernels
Lennert Buytenhek
buytenh at wantstofly.org
Tue Jul 25 21:03:34 CEST 2006
On Tue, Jul 25, 2006 at 09:01:31PM +0200, Balazs Scheidler wrote:
> > > >> Of course, it's not giving the real IP address, but at least some
> > > >> address that remains the same over time.
> > > >
> > > >Sorry, what do you mean by this?
> > >
> > > Destination Gateway Genmask Flags Metric Ref Use Iface
> > > 192.168.1.1 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> > > 192.168.2.1 0.0.0.0 255.255.255.0 U 0 0 0 eth2
> > > 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
> > >
> > > iptables -t nat -A POSTROUTING -i eth2 -o eth1 \
> > > -j NETMAP --to-dest 192.168.1.0/24
> > > iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth1 -m owner \
> > > --uid-owner squid -j SNAT --to-source 192.168.1.2-192.168.1.254
> > >
> > > The latter... it does not SNAT to the "real" address (i.e. 192.168.2.123
> > > might get 192.168.1.240 instead of 192.168.1.123), but it suffices.
> >
> > Ah, hm, right. Note that the code I posted inserts an SNAT rule every
> > single time a connection is made, so it does let you keep your original
> > source address. (But it needs some app hacking.)
>
> And AFAIK iptables has trouble updating large tables, so it only works
> for a limited number of rules. And packet processing probably stalls
> while the table is being updated.
It only concerns the nat table, which is totally empty otherwise in our
case. SNAT rules are kept only until the connection succeeds.
cheers,
Lennert
More information about the tproxy
mailing list