Le lun 26/04/2004 à 19:49, Travis Johnson a écrit : > No, this machine is not a bridge. It will simply sit and watch the > traffic go by. You can't do that this way, for you will duplicate traffic, as original packets will continue their journey to their original destination. You have to _intercept_ it. This kind of setting is OK : Internet ----- FW ------ DMZ | | `--- Alt.Web On the firewall, you set a mark based routing for HTTP packets to Alt.Web (see lartc.org cookbook). On Alt.web, you set a REDIRECT NAT for HTTP packets to proxy port (e.g. 3128) : iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT \ --to-ports 3128 HTTP proxy has to be configured for transparent proxying (see Squid docs). If you want interception to be more "transparent", you can use a bridge and use ebtables broute table or frame diverter in order to catch HTTP packets on the fly. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
