I wrote:
> Is there any way to force a REDIRECT to (e.g.) a local Web
> server _after_ SNAT has been done? I have a Truly Evil Scheme
> to map VLANs to SNAT address ranges, and I want it to work with a
> transparent proxy -on the same device-
> (I'm pretty sure it would work fine split across two devices).
> ...
George Vieira wrote:
> I know what your trying to do.. there is no way really as even
> large ISPs who use TProxies don't do this and when you browse
> some sites they say "Hey, your from <insert IP here>" and it's
> not yours...
>
> The reason it won't work is that once REDIRECT runs it enters
> Squid immediately and squid then takes over and you can't change
> the address.
> If you SNAT it first, then it just goes out and the REDIRECT
> won't activate..
Thanks for this, but I'm guessing that your guess of what I'm trying to do,
while most interesting itself, isn't actually what I'm doing... ;-) You
seem to be suggesting a totally-transparent-proxy which preserves the
client's IP (a problem that hadn't occurred to me, but still worthy of a
fix!)
Ironically, I'm not so much trying to preserve the client's IP as obliterate
it altogether! The scenario is a 'public access' network in which I don't
trust the clients even to have correct IP settings (nor Do The Right Thing
by requesting DHCP) - not even to avoid clashing IP addresses! The only
thing I can trust about them is they all appear on different VLANs at my
firewall, because I built the switched network that way. With Geneva
Convention-breaking (ab)use of Proxy-ARP, I can at least get them to talk to
me, but I need a way of routing back to them in a way that a conventional
server can use.
Hence what I'm thinking of is a VLAN-marked-SNAT scheme where I map incoming
VLANs to non-overlapping (private) IP ranges - a kind of mummy-knows-best
network-fixer. I'm pretty sure this would work fine as a pure router device
talking to some other servers, but I'm also a cheapskate and want to run
local services (including, but not limited to, squid) on the same machine.
Hence I need squid (and other local services) to see the same SNAT-ted
addresses as the outside world - and also, of course, for their output to be
de-SNAT-ted back to the VLANs. And for Christmas, I also want another level
of SNAT again to do a conventional NAT-ted public IP interface, all in the
same box... Not asking much, am I?
I was considering doing something with a DNAT to another external (virtual?)
interface address on the same machine (as opposed to the usual localhost
REDIRECT), but I suspect the routing code would spot this and deliver it
unmunged to INPUT before SNAT gets to it.
What seems to be needed is a way of wrapping the entire netfilter process in
a lump and 'calling' it from the MANGLE stage of an outer one - 'recursive
netfilter', if you like. Just a thought - would LVS help here, or is
netfilter still shared between virtual servers?
---------------------------------------
| Top-level netfilter |
| |
| -------- ----- ------ |
dumb | |sub-nf | /ROUTE\ |POSTR | |
clients -|--|VLAN<>IP|----\ /------| more |--|-> World
VLAN 1-n | | SNAT | --|-- | SNAT | |
| -------- ---|----- ------ |
| | local | |
| | services| |
| --------- |
---------------------------------------
I guess I could write a new iptables module (more likely low-level netfilter
module) to do all this, but I'm also very lazy and like building things from
kits ;-)
Thanks
Paul
