My requirement is to have a transparent proxy in some sense: the TCP packets should be proxied by box A to a server on box B, and back from B to the client (via A I guess). The server on box B should see the original IP address of the client. When I do SNAT on A, the original IP becomes invisible for box B, which is not acceptable for my application. Is there a way to do this without using squid, with iptables and iproute2 tools only? I have the following (simplified) network topology: WAN ----- BOX A ----- LAN ------ BOX B ------ WAN Assuming that BOX A has WAN ip 1.2.3.4, LAN ip 10.0.0.1 and BOX B has LAN ip 10.0.0.2 and the clients connect to port 5224 on box A, this is what I have tried: On box A: # iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 5224 -j DNAT --to-destination 10.0.0.2:5224 On box B, I can verify that the SYN packets containing the original client ip are received via LAN interface. The server on B is listening on 10.0.0.2:5224. I tried to route the response from this server back to A: On B: # ip rule ls 0: from all lookup local 32764: from 10.0.0.2 lookup 3 32766: from all lookup main 32767: from all lookup default # ip route ls table 3 default via 10.0.0.1 dev eth1 My problem is that I cannot see response (ACK) packets from the server on B anywhere- neither on A, nor even on B. I suspect the problem is incorrect routing on B, but I do not know how to capture the outbound packets before routing? What am I doing wrong? _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
