On 7/6/05, Joost de Heer <sanguis@xxxxxxxxx> wrote: > > I just wondering if it is possible to hide ip address > > from my squid box to destination server. Because I see > > that some sites are limiting their traffic for certain ip address. > > How do you expect the destination server to send back TCP packages if you > hide the IP address? > > Joost > > I think what he wants to do is to masquerade the requests from the squid proxy server IP to the client's IPs. There is a patch for the Linux Kernel (tproxy) but I do not use Linux. Following advise form Henrik Nordström, I used tcp_outgoing_address and NAT to masquerade the requests. client IP -> squid -> squid sets tcp_outgoing_address to private IP NAT masquerades private IP to client IP -> internet here is how it worked for a friend of mine. NAT must use bidirectional mapping (1:1 mapping) eg: client 1 public IP 1.2.3.1 bimaped to private IP 10.0.0.1 NAT must be done on the external interface (the one connecting squid to the gateway/router) We used FreeBSD and tested IPFILTER/IPNAT example ipnat.conf bimap $ext_if from 10.0.0.1/32 to 0.0.0.0/0 port = 80 -> 1.2.3.1/32 bimap $ext_if from 10.0.0.2/32 to 0.0.0.0/0 port = 80 -> 1.2.3.2/32 bimap $ext_if from 10.0.0.3/32 to 0.0.0.0/0 port = 80 -> 1.2.3.3/32 ----- Used the loopback interface to create the aliases for private IPs. The alias netmask must be set to 255.255.255.255 to avoid conflicts exampe: ifconfig lo0 inet 10.0.0.1 netmask 0xffffffff alias ifconfig lo0 inet 10.0.0.2 netmask 0xffffffff alias ifconfig lo0 inet 10.0.0.3 netmask 0xffffffff alias ----- edit squid.conf and # to hide the proxy connection header_access Via deny all header_access X-Forwarded-For deny all # insert acl for each client acl Client1 src 1.2.3.1 acl Client2 src 1.2.3.2 acl Client3 src 1.2.3.3 # set tcp_outgoing_address to private IP for each Client tcp_outgoing_address 10.0.0.1 Cleint1 tcp_outgoing_address 10.0.0.2 Cleint2 tcp_outgoing_address 10.0.0.3 Cleint3 ----- I hope this helps !!! -- Regards. Abu Khaled
