rewriting destination port of outbound packets
Jason Opperisano
opie at 817west.com
Fri Mar 11 12:36:43 CET 2005
On Thu, 2005-03-10 at 14:20, Mason Schmitt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I am attempting to configure a Linux box (mandrake 10.1 - iptables
> 1.2.9) to redirect http, ftp, real, winmedia, quicktime, and nntp to a
> Netapp NetCache transparent caching proxy.
>
> Here is my network layout:
>
> ~ Net
> ~ |
> ~ Linux router/fw
> ~ |
> - ------switch-------
> | |
> clients cache
>
> Starting first with http, I have made use of fwmark and iproute2 to
> first mark traffic from our network to destination port 80 and then
> route that traffic, out the same interface it came in on, to the web
> cache. The problem I am trying to resolve is that the traffic that I am
> routing to the cache still has the destination port 80. I think this
> needs to be 3128 (The cache accepts connections on port 3128).
>
> So, is it possible to rewrite the destination port in this scenario?
yeah--at some point in your packet mangling:
iptables -t nat -A PREROUTING -i $INSIDE_IF -p tcp --dport 80 \
-j DNAT --to-destination $NETCACHE_IP:3128
as an aside--your life would be infinitely easier if you added a third
NIC to the Linux router/fw and put the netcache on that segment...IMHO
-j
--
"Dear Baby, Welcome to Dumpsville. Population: You"
--The Simpsons
More information about the netfilter
mailing list