From: Rob Landley <landley@webofficenow.com>
To: Nerijus Baliunas <nerijus@users.sourceforge.net>,
Julio Sanchez Fernandez <j_sanchez@stl.es>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Transparent proxies and binding to foreign addresses
Date: Thu, 26 Jul 2001 15:41:50 -0400 [thread overview]
Message-ID: <01072615415006.02057@localhost.localdomain> (raw)
In-Reply-To: <m2lmlcakrq.fsf@j-sanchez-p.stl.es> <200107270215.EAA1376016@mail.takas.lt>
In-Reply-To: <200107270215.EAA1376016@mail.takas.lt>
On Thursday 26 July 2001 22:15, Nerijus Baliunas wrote:
> On 25 Jul 2001 21:09:13 +0200 Julio Sanchez Fernandez <j_sanchez@stl.es>
> wrote:
>
> JSF>
> JSF> I have been using transparent proxies on Linux for a long time, very
> JSF> possibly longer than anyone else, since I wrote a extremely crude hack
> JSF> that served me well back 1995.
>
> JSF> This mechanism has worked since I originally wrote my kludge up to
> JSF> 2.2.x but, from what I can gather, it does not work anymore in 2.4.x.
>
> Hello,
>
> I don't know if it is useful for you, but http://www.mcknight.de/jftpgw
> supports transparent proxy for Linux 2.4.x kernel.
>
> BTW, do you know of any port forwarder which works with 2.4 kernel in
> transparent mode? I tried mmtcpfwd and portfwd, but both do not work.
Well, for simple forwarding within the box I'm using:
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.0.0.0/8 -j REDIRECT
--to-port 3141
That's to forward an all ports for a given address range (anything in the
10.x.x.x subnet in this case) to a daemon on the box itself. I don't
remember if it winds up on eth1 or on loopback (where said daemon should
bind), probably eth1. The magic snippet of C code that can recover the
original destination address and port for a forwarded connection is:
getsockopt(connection_fd,SOL_IP,SO_ORIGINAL_DST, &addr, &i);
(Finding out the above involved thumbscrews, a bullwhip, google, a lot of
luck, and emailing various developers. But I sent it off to the man page
maintainer so hopefully it should be better documented now.)
To forward a port outside the box entirely, the mystic iincantation is:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport "$fromport" --j DNAT
--to "$addr":"$toport"
fromport being the port on the firwall (I.E. 80), addr and toport being the
remote machine's IP address and the port number on that remote machine
(hopefully one behind your firewall, although that's probably not a
requirement).
Is that what you needed?
> Regards,
> Nerijus
Rob
next prev parent reply other threads:[~2001-07-27 4:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-07-25 19:09 Transparent proxies and binding to foreign addresses Julio Sanchez Fernandez
2001-07-27 2:15 ` Nerijus Baliunas
2001-07-26 19:41 ` Rob Landley [this message]
2001-07-27 7:16 ` Julio Sanchez Fernandez
2001-07-31 18:13 ` Nerijus Baliunas
[not found] ` <200107311820.UAA1709621@mail.takas.lt>
2001-08-01 6:54 ` Julio Sánchez Fernández
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=01072615415006.02057@localhost.localdomain \
--to=landley@webofficenow.com \
--cc=j_sanchez@stl.es \
--cc=linux-kernel@vger.kernel.org \
--cc=nerijus@users.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox