Transparent proxy where source IP address remains unchanged -- possible?

Adam Rosi-Kessel adam at
Mon Aug 15 16:33:43 CEST 2005

Grant Taylor wrote:
> This is the command that you would need to run on the fake target to do
> the up and over part:
> iptables -t nat -A PREROUTING -i $INet -d $FakeTargetIP -p tcp --dport
> 22 -j DNAT --to-destination $RealTargetIP:2222
> This is the corresponding command that you would need to run on the real
> target to do the down and in part:
> iptables -t mangle -A PREROUTING -i $INet -d $RealTargetIP -p tcp
> --dport 2222 -j MARK --set-mark $Mark
> iptables -t nat -A PREROUTING -i $INet -d $RealTargetIP -p tcp --dport
> 2222 -j REDIRECT --to-ports 22

Okay, I understand all this. Is this all that is necessary to make sure
the response packets go back through faketarget, though? Isn't this just
 taking care of the first part--the "up and over/down and in" part--but
not the second part, where packets need to go back to source through

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : /pipermail/netfilter/attachments/20050815/e19ee534/signature.bin

More information about the netfilter mailing list