original destination IP address

Jason Opperisano opie at 817west.com
Wed Apr 27 17:09:46 CEST 2005


On Wed, Apr 27, 2005 at 06:25:53AM +0700, Ken Hilliard wrote:
> When using the REDIRECT target (e.g., doing transparent web proxying)
> the packet's destination IP address is mangled to 127.0.0.0.

no--it's not.  this is the most common misconception i see.  
"-j REDIRECT" rewrites the destination IP to be the IP address of the
input interface.  if you try to write a filter rule to allow this
traffic--this becomes a useful tidbit.

> When using
> proxy web servers like Apache or Squid do they automatically retrieve
> the original destination IP address?

they use the HTTP Host: Header to determine the origin server to fetch
the content from.

> For HTTP v1.1 the host is included
> in the request header so the proxy does not strictly need it. But HTTP
> v1.0 does not contain the host name/IP address. I've read there is a
> netfilter version of the getsockopt function. Do they use this or some
> other mechanism?

whatcha talkin' 'bout, willis?  the GET request specifies HTTP/1.0 or
HTTP/1.1, the Host: Header is sent separately whether the GET is 1.0
or 1.1.  if what you're saying was accurate, name-based virtual hosting
wouldn't work with HTTP/1.0...and um--it does...

here's a snippet of lynx tracelog that shows this:

GET / HTTP/1.0\r
Host: foo.817west.com\r
Accept: text/html, text/plain, application/x-ica, text/sgml, video/mpeg,
image/j
peg, image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm,
image/gif
, application/postscript, */*;q=0.01\r
Accept-Language: en\r
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7e\r
\r

-j

--
"Chris: Cheesy Charlie's is great. They have a game where you put in a
 dollar and you get four quarters. I win every time."
        --Family Guy



More information about the netfilter mailing list