On Feb 9 2007 22:38, Pascal Hambourg wrote: > Jan Engelhardt a écrit : >> > >> > I may be wrong, but doing IP NAT on a bridge seems to me quite >> > unnatural and >> > troublesome. >> >> A bridge is like a 'direct connection' so you cannot use NAT. > > My idea of a bridge is a kind of software switch. > Then why did you mention "setting up your proxy box as bridge" ? Ok so I confused what the OP wanted [-t nat -A PREROUTING -p tcp --dport 80 -j --DNAT to x.y.z:80] with "the box does an rinetd-style approach" [e.g. squid], so that the connection is not DNATed (A->C) but two connections actually exist (A->B, B->C). However, the more I think of it, there actually is a way with proxy-on-a-bridge. Though, it's more like "degrading the bridge to a router": ebtables -t broute -A BROUTING -i Intern -p tcp --dport 80 -j DROP; ebtables -t broute -A BROUTING -o Extern -p tcp --sport 80 -j DROP; Jan -- ft: http://freshmeat.net/p/chaostables/
