original destination IP address
opie at 817west.com
Wed Apr 27 17:09:46 CEST 2005
On Wed, Apr 27, 2005 at 06:25:53AM +0700, Ken Hilliard wrote:
> When using the REDIRECT target (e.g., doing transparent web proxying)
> the packet's destination IP address is mangled to 127.0.0.0.
no--it's not. this is the most common misconception i see.
"-j REDIRECT" rewrites the destination IP to be the IP address of the
input interface. if you try to write a filter rule to allow this
traffic--this becomes a useful tidbit.
> When using
> proxy web servers like Apache or Squid do they automatically retrieve
> the original destination IP address?
they use the HTTP Host: Header to determine the origin server to fetch
the content from.
> For HTTP v1.1 the host is included
> in the request header so the proxy does not strictly need it. But HTTP
> v1.0 does not contain the host name/IP address. I've read there is a
> netfilter version of the getsockopt function. Do they use this or some
> other mechanism?
whatcha talkin' 'bout, willis? the GET request specifies HTTP/1.0 or
HTTP/1.1, the Host: Header is sent separately whether the GET is 1.0
or 1.1. if what you're saying was accurate, name-based virtual hosting
wouldn't work with HTTP/1.0...and um--it does...
here's a snippet of lynx tracelog that shows this:
GET / HTTP/1.0\r
Accept: text/html, text/plain, application/x-ica, text/sgml, video/mpeg,
peg, image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm,
, application/postscript, */*;q=0.01\r
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7e\r
"Chris: Cheesy Charlie's is great. They have a game where you put in a
dollar and you get four quarters. I win every time."
More information about the netfilter