From: Grant Taylor <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Transparent proxy where source IP address remains unchanged -- possible?
Date: Fri, 12 Aug 2005 00:02:40 -0500 [thread overview]
Message-ID: <42FC2D70.7000701@riverviewtech.net> (raw)
In-Reply-To: <42FBB957.30003@rosi-kessel.org>
>>Then just use DNAT.
This will not work because it causes a routing triangle. Consider the packet traversal with associated addresses here:
usrbox -> faketarget
faketarget -DNAT-> realtarget
realtarget -> userbox
What is most likely happening (verifiable via TCPDump) is that the traffic IS getting DNATed as you want. However when the realtarget replies to the traffic it will go directly to the userbox with out being unDNATed. Thus the source address on the reply packet is from the realtarget, a box which userbox was not talking with and thus the standard TCP/IP stack will DROP and disregard the packet. TCPDump should see these replies coming back in.
> Right, that's where I started. What I'm trying to figure out is why when
> I only use DNAT packets don't seem to get forwarded to the new
> destination. They only show up if I also change the source IP to be the
> address of the proxy.
>
> Is this because the final destination is rejecting the packets, or the
> proxy server is not actually passing them on?
I would bet that the final destination userbox is rejecting what it believes to be half open connections that it does not know any thing about.
> I think I may not properly understand some architectural detail here. I
> am changing the destination IP in DNAT/PREROUTING. Is there anything
> else I need to do to make sure the packet is properly passed on to the
> destination, where the proxy basically "disappears" as a middleman?
Is the faketarget and realtarget on the same subnet or are they on different subnets? The reason that I ask is if you could make the traffic returning from realtarget back to userbox pass through faketarget it could be unDNATed and then sent back to the userbox. However to pull this off you would have to play with the routing on the realtarget to make it use faketarget as it's upstream gateway and then do postrouting SNATing of the source IP back to that of the faketarget as the traffic left the faketarget. This same idea can be expanded upon if the faketarget and realtarget are not on the same subnet, but it is not easy.
Grant. . . .
next prev parent reply other threads:[~2005-08-12 5:02 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-09 1:29 Transparent proxy where source IP address remains unchanged -- possible? Adam Rosi-Kessel
2005-08-11 5:42 ` Jan Engelhardt
2005-08-11 13:07 ` Adam Rosi-Kessel
2005-08-11 19:17 ` Jan Engelhardt
2005-08-11 20:47 ` Adam Rosi-Kessel
2005-08-12 5:02 ` Grant Taylor [this message]
2005-08-12 13:07 ` Adam Rosi-Kessel
2005-08-13 6:40 ` Grant Taylor
2005-08-13 13:12 ` Adam Rosi-Kessel
2005-08-15 6:51 ` Grant Taylor
2005-08-15 14:33 ` Adam Rosi-Kessel
2005-08-15 14:39 ` Taylor, Grant
2005-08-17 21:07 ` Ray Van Dolson
2005-08-19 3:16 ` Adam Rosi-Kessel
-- strict thread matches above, loose matches on Subject: below --
2005-08-10 15:22 Adam Rosi-Kessel
2005-08-12 18:35 ` curby .
2005-08-12 18:52 ` Adam Rosi-Kessel
2005-08-12 15:21 Gielen, Casper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42FC2D70.7000701@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.