Transparent proxy where source IP address remains unchanged -- possible?

Adam Rosi-Kessel adam at rosi-kessel.org
Wed Aug 10 17:22:37 CEST 2005


I'm new to iptables and have perhaps a naive question.

I am wondering if there is a way to configure a proxy such that packets
are redirected to a new IP address, but the *source* IP address remains
unchanged.

To illustrate: let's say we have "userbox" 10.1.1.2, "faketarget"
10.1.1.3, and "realtarget" 10.1.1.4.

Userbox initiates an ssh connection to faketarget. Faketarget routes all
packets to realtarget.

I understand how to do this while changing the source IP address. I
would run these commands on the faketarget box:

iptables -t nat -A PREROUTING -i eth0 -s 10.1.1.2 -d 10.1.1.3 \
	-p tcp --dport ssh -j DNAT --to 192.168.98.4

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.2 -d 10.1.1.3 \
	-j SNAT --to 10.1.1.3

Easy enough. But in this case, the connection to realtarget appears to
come from faketarget, not userbox, the originator of the ssh connection.
This is normally what you want with local NAT.

But what if I want the connection to realtarget to appear to come from
userbox.  I want faketarget to be an almost invisible middleman.  I
don't want to rewrite the source IP address, but leave it as is.  If I
just leave off the second iptables line above, however, no packets are
forwarded to realtarget at all.

Is this possible?  Am I asking the wrong question?
-- 
Adam Rosi-Kessel
http://adam.rosi-kessel.org




More information about the netfilter mailing list