From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: will port forwarding work here?
Date: Fri, 14 Jan 2005 10:55:49 -0500 [thread overview]
Message-ID: <20050114155549.GA26172@bender.817west.com> (raw)
In-Reply-To: <20050114153508.GA1189@tranquility.scriptkitchen.com>
On Fri, Jan 14, 2005 at 10:35:08AM -0500, Payal Rathod wrote:
> Hi,
> I have 2 squid proxy on two different machines 192.168.0.10 and
> 192.168.0.11 All my clients are configured to use 192.168.0.10:3128
> Now I want a few specific clients to use 192.168.0.11:3128
> Is it possible to write some kind of rule on 192.168.0.10 which will
> *properly* redirect traffic from 192.168.0.10:3128 to
> 192.168.0.11:3128 for those clients. A friend on chat suggested (he
> was not sure),
>
> iptables -A PREROUTING -t nat -s 192.168.0.10 --dport 3128 \
> -j DNAT --to-destination 192.168.0.11
>
> Is there anything else missing?
yeah--the same thing that everyone misses when they try and DNAT onto
the same local network:
1) client (192.168.0.100) send TCP SYN to 192.168.0.10 port 3128
2) proxyA (192.168.0.10) DNATs the packet to 192.168.0.11
3) proxyB (192.168.0.11) receives SYN from 192.168.0.100 and replies
directly with SYN/ACK
4) client (192.168.0.100) receives SYN/ACK from 192.168.0.11 and drops
it, as client never sent a SYN to 192.168.0.11.
sound familiar? it feels familiar to me as i type it once again.
options:
1) for the machines that need to proxy to 192.168.0.11, just set their
proxy to be 192.168.0.11. no--it's not h4x0r l33t, but it's really
what you're trying to do, and the "right" way to do it.
2) duct tape it. on 192.168.0.10:
# DNAT requests from some clients to 192.168.0.11
iptables -t nat -A PREROUTING -p tcp -s $SOME_CLIENT --dport 3128 \
-j DNAT --to-destination 192.168.0.11
# make requests from some client look like they came from me to avoid
# asymmetric routing of the DNAT-ed connection
iptables -t nat -A POSTROUTING -p tcp -s $SOME_CLIENT --dport 3128 \
-d 192.168.0.11 -j SNAT --to-source 192.168.0.10
as always--i hate this solution for all the reasons everyone has brought
up every time time this has come up previously--it's horribly
inefficient, it destroys your audit trail, etc...
-j
--
"No jury in the world is going to convict a baby ... Maybe Texas."
--The Simpsons
next prev parent reply other threads:[~2005-01-14 15:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-14 15:35 will port forwarding work here? Payal Rathod
2005-01-14 15:55 ` Jason Opperisano [this message]
2005-01-14 17:10 ` Payal Rathod
2005-01-14 17:18 ` Jason Opperisano
2005-01-14 17:34 ` Payal Rathod
2005-01-14 17:36 ` Jason Opperisano
2005-01-14 16:11 ` Samuel Jean
2005-01-15 22:20 ` Jose Maria Lopez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050114155549.GA26172@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.