From: Grant Taylor <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Transparent proxy where source IP address remains unchanged -- possible?
Date: Mon, 15 Aug 2005 01:51:38 -0500 [thread overview]
Message-ID: <43003B7A.4040404@riverviewtech.net> (raw)
In-Reply-To: <20050813131224.GD25192@bostoncoop.net>
> Interesting. Are there any pre-packaged ways to do this? This sounds like
> perhaps the least complex solution, once it's actually implemented.
Pre-packaged solutions? Um, sure, it's called Linux. :P No, I don't know of any ""pre-packaged solutions. What there are is pre made building blocks that you can put together in to your own solution.
> That could work. I'm really only worried about DNS, HTTP, HTTPS, SMTP,
> POP3, IMAP, and SSH. So I could redirect all those ports to different
> ports on on faketarget (DNAT), then back to the real ports on realtarget
> (using REDIRECT target?).
>
> Can you give me an example (or point me to a URL) of what rules I would
> need to run on realtarget to MARK the connections and then decide which
> routing table to use? Are we just talking about iptables commands, or is
> there something additional that is required?
This is the command that you would need to run on the fake target to do the up and over part:
iptables -t nat -A PREROUTING -i $INet -d $FakeTargetIP -p tcp --dport 22 -j DNAT --to-destination $RealTargetIP:2222
This is the corresponding command that you would need to run on the real target to do the down and in part:
iptables -t mangle -A PREROUTING -i $INet -d $RealTargetIP -p tcp --dport 2222 -j MARK --set-mark $Mark
iptables -t nat -A PREROUTING -i $INet -d $RealTargetIP -p tcp --dport 2222 -j REDIRECT --to-ports 22
I'm not sure if you want the MARK target or the CONNMARK target as I have not worked with either of them. But I think you see what I'm trying to accomplish with them. As far as the rule, a little bit of reading should explain that (I'd have to do the reading my self at this hour).
Grant. . . .
next prev parent reply other threads:[~2005-08-15 6:51 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-09 1:29 Transparent proxy where source IP address remains unchanged -- possible? Adam Rosi-Kessel
2005-08-11 5:42 ` Jan Engelhardt
2005-08-11 13:07 ` Adam Rosi-Kessel
2005-08-11 19:17 ` Jan Engelhardt
2005-08-11 20:47 ` Adam Rosi-Kessel
2005-08-12 5:02 ` Grant Taylor
2005-08-12 13:07 ` Adam Rosi-Kessel
2005-08-13 6:40 ` Grant Taylor
2005-08-13 13:12 ` Adam Rosi-Kessel
2005-08-15 6:51 ` Grant Taylor [this message]
2005-08-15 14:33 ` Adam Rosi-Kessel
2005-08-15 14:39 ` Taylor, Grant
2005-08-17 21:07 ` Ray Van Dolson
2005-08-19 3:16 ` Adam Rosi-Kessel
-- strict thread matches above, loose matches on Subject: below --
2005-08-10 15:22 Adam Rosi-Kessel
2005-08-12 18:35 ` curby .
2005-08-12 18:52 ` Adam Rosi-Kessel
2005-08-12 15:21 Gielen, Casper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43003B7A.4040404@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.