[zorp] Zorp and Traffic Control

Illes Marton zorp@lists.balabit.hu
Mon, 31 Mar 2003 20:46:14 +0200 (CEST)

On Mon, 31 Mar 2003, c0g wrote:

> Hi!
> Could Zorp work as "real" transparent proxy, so neither client nor
> server will see its IP address? I need this for per ip bandwidth
> limiting. This example ilustrate this:
> client1 ----- zorp_transparent_firewall ----- internet ----- server
> client2
> ..
> clientn
> Clients have _public_ IPs.
> Is this possible:
> When client connects to server, zorp intercept that connection, does
> protocol analysis etc., and then connents to server as _client_ IP. So,
> server sees in its log, that connection was made by client, not Zorp
> machine.
> If Zorp could do this, I could set per ip bandwitdh limiting (cbq rules)
> on both firewall interfaces, not only on internal NIC. Therefore
> outgoing traffic would be shaped too.


I am not sure about your point of doing traffic shaping, but anyhow you
can do it with Zorp of course.

You need to use ForgeClientSourceNAT as SNAT, or if you use
TransparentRouter you can set the forge_addr attribute to TRUE.

Both end up, that when Zorp connects to the server it uses the client
original IP address as the source address of the connection.

Look out for the routing, the router must route packets to the clients
through the fw!

Don't forget to use tproxy patch with 2.4 kernels, it's needed for