From: Julian Anastasov <ja@ssi.bg>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] transparent PAT
Date: Wed, 27 Nov 2002 22:39:55 +0000 [thread overview]
Message-ID: <marc-lartc-103843687116028@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103842383732507@msgid-missing>
Hello,
On Wed, 27 Nov 2002, Nickola Kolev wrote:
> So, given I'm running kernel 2.4.19 and using ipchains (don't
> ask me why, but I'm bounded to this config), I would like to
> reroute everything that's passing thru eth1 on machine A
> from the internal lan and has dport XXXX to the same port
> on machine B. The hole thing has to be completely transparent.
> I tried some "advanced routing" stuff, like marking those packets
> with fwmark and building a separate routing table for them,
> but alas. Notice that the two machines are on the same LAN segment.
Yes, marking the packets for routing purposes is a solution,
sort of:
# Mark XXX traffic
ipchains -A input -p TCP -s CLIENT_NET/24 -d 0.0.0.0/0 PORT_XXX -m 1 -j ACCEPT
# Check first for routes to directly attached networks
ip rule add prio 50 table main
# Port XXX to universe is rerouted to host B
ip rule add prio 100 fwmark 1 table 100
ip route add default via HOST_B dev eth1 table 100
May be the problem is that host B can not accept this traffic?
You need some measures:
1. In host A stop ICMP redirects generated for routes on shared meduims:
echo 0 > /proc/sys/net/ipv4/conf/*/send_redirects
Without such settings, host A will redirect clients directly to
host B, for any traffic
2. Add Transparent Proxy support in box B to accept locally the
client's traffic. You can look how the Squid tproxy works: each
packet is delivered to the configured local IP:PORT but this
service can obtain the original DADDR:DPORT of the packet.
> Nickola
Regards
--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2002-11-27 22:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-27 19:02 [LARTC] transparent PAT Nickola Kolev
2002-11-27 19:20 ` Martin A. Brown
2002-11-27 20:15 ` Nickola Kolev
2002-11-27 20:40 ` Martin A. Brown
2002-11-27 21:29 ` Nickola Kolev
2002-11-27 22:39 ` Julian Anastasov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-103843687116028@msgid-missing \
--to=ja@ssi.bg \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.