Alec Matusis wrote:
Thanks Robert. My requirement is to have a transparent proxy in some sense: the TCP packets should be proxied by box A to a server on box B, and back from B to the client (via A I guess). The server on box B should see the original IP address of the client. When I do SNAT on A, the original IP becomes invisible for box B.
You just need to ensure that packets from B to the client get routed via box A. That is a routing issue, not a netfilter problem. Depending on what other traffic is going to/from box B, the solution could be as simple as making box A the gateway for the default route out of box B. If B is handling other traffic that does not go through A, then you'll probably need to use the advanced routing features of iproute2 to selectively route the packets. There's a rather extensive "Linux Advanced Routing & Traffic Control HOWTO" available from http://lartc.org . -- Bob Nichols Yes, "NOSPAM" is really part of my email address.
