Transparent proxy where source IP address remains unchanged --
adam at rosi-kessel.org
Fri Aug 12 20:52:18 CEST 2005
Thanks for your response:
curby . wrote:
>> iptables -t nat -A PREROUTING -i eth0 -s 10.1.1.2 -d 10.1.1.3 \
>> -p tcp --dport ssh -j DNAT --to 192.168.98.4
> In your hypothetical above, all three hosts were on the same subnet.
> If in fact your realtarget is on another subnet (as it is in this
> command), then all you need is DNAT and your source address/port will
> be kept. If all three hosts are on the same network, or the source
> and realtarget are on the same network, then you will need a SNAT rule
> as shown here:
In reality, userbox, faketarget, and realtarget, are all on different
> A single line to DNAT is all that should be necessary for DNAT between
> different subnets (as long as your FORWARD chain allows it). SNAT is
> definitely not required to get it to work. If it doesn't work, likely
> you have a bad setup somewhere. HOWTO might help:
Based on other messages in this thread, it appears that the problem is
that reply packets are going directly back to userbox rather than
through faketarget and thus are being dropped. I guess the proxy needs
to go both ways, but also be invisible. This is what I'm having trouble
>> Is this possible? Am I asking the wrong question?
> You didn't say why you're doing this, or what else your firewall setup
> has. If it's for auditing/eavesdropping, there are certainly other
> ways to do it. If all three hosts are on the same network, the client
> could simply go directly to realserver.
The main purpose is to facility relocation of a server to a new subnet
with zero downtime while DNS changes propagate. Any client that is still
getting the old IP address should be transparently routed to the new one.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 250 bytes
Desc: OpenPGP digital signature
Url : /pipermail/netfilter/attachments/20050812/33cff4bb/signature.bin
More information about the netfilter