Thanks Robert. My requirement is to have a transparent proxy in some sense: the TCP packets should be proxied by box A to a server on box B, and back from B to the client (via A I guess). The server on box B should see the original IP address of the client. When I do SNAT on A, the original IP becomes invisible for box B. Is there a way to do this without using squid, with iptables only? >-----Original Message----- >From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx >[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of >Robert Nichols >Sent: Saturday, February 24, 2007 5:59 PM >To: netfilter@xxxxxxxxxxxxxxxxxxx >Subject: Re: "distributed router" question > >Alec Matusis wrote: >> Hi Silvio, >> >> Thanks for your response. >> >> I still do not understand why SNATting in B to public IP of >box A would not >> work? >> By this I mean the following: >> >> 1) Client sends packet to box A ( src: 9.10.11.12 dst: 1.2.3.4 ) >> 2) Box A does DNAT (PREROUTING) to box B ( src: 9.10.11.12 >dst: 10.0.0.2 ) >> >> Box B receives the packet and replies directly to the client: >> 1) Box B does SNAT (POSTROUTING) using box A WAN as source >(src: 1.2.3.4 >> dst: 9.10.11.12) >> >> There are two reasons why I'd like to implement it this way: >> >> a) Reduce the load on box A so that the packets from B go >directly to the >> client 9.10.11.12, bypassing A. >> b) The server on box B must log the IPs of all clients (i.e. log the >> original client IP 9.10.11.12) >> >> Thank you, >> >> Alec Matusis > >You can make that work for UDP, but for TCP box A will see >only half-open >connections (it will never see the SYN/ACK) and reject the >payload packets >as invalid. > >-- >Bob Nichols Yes, "NOSPAM" is really part of my email address. > >