RE: "distributed router" question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Robert.

My requirement is to have a transparent proxy in some sense: the TCP packets
should be proxied by box A to a server on box B, and back from B to the
client (via A I guess). The server on box B should see the original IP
address of the client. When I do SNAT on A, the original IP becomes
invisible for box B.

Is there a way to do this without using squid, with iptables only? 

>-----Original Message-----
>From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx 
>[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of 
>Robert Nichols
>Sent: Saturday, February 24, 2007 5:59 PM
>To: netfilter@xxxxxxxxxxxxxxxxxxx
>Subject: Re: "distributed router" question
>
>Alec Matusis wrote:
>> Hi Silvio,
>> 
>> Thanks for your response. 
>> 
>> I still do not understand why SNATting in B to public IP of 
>box A would not
>> work?
>> By this I mean the following:
>> 
>> 1) Client sends packet to box A ( src: 9.10.11.12 dst: 1.2.3.4 )
>> 2) Box A does DNAT (PREROUTING) to box B ( src: 9.10.11.12 
>dst: 10.0.0.2 )
>> 
>> Box B receives the packet and replies directly to the client:
>> 1) Box B does SNAT (POSTROUTING) using box A WAN as source 
>(src: 1.2.3.4
>> dst: 9.10.11.12)
>> 
>> There are two reasons why I'd like to implement it this way:
>> 
>> a) Reduce the load on box A so that the packets from B go 
>directly to the
>> client 9.10.11.12, bypassing A.
>> b) The server on box B must log the IPs of all clients (i.e. log the
>> original client IP  9.10.11.12) 
>> 
>> Thank you,
>> 
>> Alec Matusis
>
>You can make that work for UDP, but for TCP box A will see 
>only half-open
>connections (it will never see the SYN/ACK) and reject the 
>payload packets
>as invalid.
>
>-- 
>Bob Nichols         Yes, "NOSPAM" is really part of my email address.
>
>



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux