From: Grant Taylor <gtaylor@riverviewtech.net>
To: Trevor Paskett <tpaskett@cymphonix.com>
Cc: coreteam@netfilter.org, netfilter@lists.netfilter.org
Subject: Re: HELP! Transparent Proxy using bridging 2.6.9 and REDIRECT on different subnet
Date: Thu, 24 Mar 2005 02:50:12 -0600 [thread overview]
Message-ID: <42427F44.8080608@riverviewtech.net> (raw)
In-Reply-To: <2F413D5F33545D4A8465BBEE900238CC3FA777@cymmail.cymphonix.com>
Bad news. I'm unable to get my system here at the house to intercept traffic destined to port 22 (I chose SSH to work / test with as I don't have Squid installed on any there here at the house) and redirect it to it's self and successfully return the traffic back to my test workstation. What I was testing was a bit different than what you are asking for help on but it should still serve as a proof of concept. I was attempting to redirect traffic that was passing through my test firewall destined to port 22 to the local host port 22. Below are the rules that I tested with:
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 127.0.0.1:22
iptables -t nat -A POSTROUTING -p tcp --dport 22 -j SNAT --to-source 127.0.0.1
If I just use something like the following:
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT
I can get connected but my connections do not show up from where I would expect them to show up from, namely the firewall it's self.
Where as if I use the following rules, a slight modification of the first set just pointing to a different box, things work fine:
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 172.30.254.11:22
iptables -t nat -A POSTROUTING -p tcp --dport 22 -j SNAT --to-source 172.30.254.253
Ultimately I have a feeling the problem has to do with the packets traversal of the kernel / TCP/IP stack and where we can interface / interfere with it. That being said some extremely dastardly things are probably going to need to be done to make things work the way that you want. Thus are you willing to do some nasty things as running Squid in a UML, or what about just a UML router that does nothing other than rout the packets between a couple of interfaces thus allowing you to send traffic to a different system while still being in the same box? If that was the case I think my solution where things were DNATed/SNATed to send the traffic to a foreign system and then ultimately rerouted the long way around would work, but it will be extremely nasty. It will probably work, but I don't know if you will like it. Unfortunately you are trying to do something that is EXTREMELY NOT normal
and thus are left with extremely not normal solutions.
Grant. . . .
next prev parent reply other threads:[~2005-03-24 8:50 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2F413D5F33545D4A8465BBEE900238CC3FA777@cymmail.cymphonix.com>
2005-03-23 23:50 ` HELP! Transparent Proxy using bridging 2.6.9 and REDIRECT on different subnet Grant Taylor
2005-03-24 0:35 ` Grant Taylor
2005-03-24 6:25 ` Grant Taylor
2005-03-24 8:50 ` Grant Taylor [this message]
2005-03-24 21:09 ` Grant Taylor
2005-03-25 21:30 Trevor Paskett
-- strict thread matches above, loose matches on Subject: below --
2005-03-24 19:04 Trevor Paskett
2005-03-24 19:04 ` Trevor Paskett
2005-03-23 19:18 Trevor Paskett
2005-03-23 17:08 Trevor Paskett
2005-03-23 17:08 ` Trevor Paskett
2005-03-23 19:24 ` Grant Taylor
2005-03-23 19:42 ` Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42427F44.8080608@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=coreteam@netfilter.org \
--cc=netfilter@lists.netfilter.org \
--cc=tpaskett@cymphonix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.