Transparent proxy where source IP address remains unchanged -- possible?

curby . curby.public at gmail.com
Fri Aug 12 20:35:57 CEST 2005


On 8/10/05, Adam Rosi-Kessel <adam at rosi-kessel.org> wrote:
> I'm new to iptables and have perhaps a naive question.
> 
> I am wondering if there is a way to configure a proxy such that packets
> are redirected to a new IP address, but the *source* IP address remains
> unchanged.
> 
> To illustrate: let's say we have "userbox" 10.1.1.2, "faketarget"
> 10.1.1.3, and "realtarget" 10.1.1.4.
> 
> Userbox initiates an ssh connection to faketarget. Faketarget routes all
> packets to realtarget.

This is classic Destination NAT, or "port forwarding" and is certainly possible.

> iptables -t nat -A PREROUTING -i eth0 -s 10.1.1.2 -d 10.1.1.3 \
>         -p tcp --dport ssh -j DNAT --to 192.168.98.4

In your hypothetical above, all three hosts were on the same subnet. 
If in fact your realtarget is on another subnet (as it is in this
command), then all you need is DNAT and your source address/port will
be kept.  If all three hosts are on the same network, or the source
and realtarget are on the same network, then you will need a SNAT rule
as shown here:

http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html

> iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.2 -d 10.1.1.3 \
>         -j SNAT --to 10.1.1.3
> 
> Easy enough. But in this case, the connection to realtarget appears to
> come from faketarget, not userbox, the originator of the ssh connection.

Right, using the SNAT target you have mangled the packet to claim to
come from faketarget.  You shouldn't expect realtarget to see anything
different.

> This is normally what you want with local NAT.

> But what if I want the connection to realtarget to appear to come from
> userbox.  I want faketarget to be an almost invisible middleman.  I
> don't want to rewrite the source IP address, but leave it as is.  If I
> just leave off the second iptables line above, however, no packets are
> forwarded to realtarget at all.

A single line to DNAT is all that should be necessary for DNAT between
different subnets (as long as your FORWARD chain allows it).  SNAT is
definitely not required to get it to work.  If it doesn't work, likely
you have a bad setup somewhere.  HOWTO might help:

http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.2

> Is this possible?  Am I asking the wrong question?

You didn't say why you're doing this, or what else your firewall setup
has.  If it's for auditing/eavesdropping, there are certainly other
ways to do it.  If all three hosts are on the same network, the client
could simply go directly to realserver.



More information about the netfilter mailing list