Re: Transparent proxy where source IP address remains unchanged -- possible?

[Adam Rosi-Kessel <adam@rosi-kessel.org>]

[-- Attachment #1: Type: text/plain, Size: 1806 bytes --]

Thanks for your response:

curby . wrote:
>> iptables -t nat -A PREROUTING -i eth0 -s 10.1.1.2 -d 10.1.1.3 \
>>         -p tcp --dport ssh -j DNAT --to 192.168.98.4
> In your hypothetical above, all three hosts were on the same subnet. 
> If in fact your realtarget is on another subnet (as it is in this
> command), then all you need is DNAT and your source address/port will
> be kept.  If all three hosts are on the same network, or the source
> and realtarget are on the same network, then you will need a SNAT rule
> as shown here:

In reality, userbox, faketarget, and realtarget, are all on different
subnets.

> A single line to DNAT is all that should be necessary for DNAT between
> different subnets (as long as your FORWARD chain allows it).  SNAT is
> definitely not required to get it to work.  If it doesn't work, likely
> you have a bad setup somewhere.  HOWTO might help:

Based on other messages in this thread, it appears that the problem is
that reply packets are going directly back to userbox rather than
through faketarget and thus are being dropped.  I guess the proxy needs
to go both ways, but also be invisible. This is what I'm having trouble
figuring out.

>> Is this possible?  Am I asking the wrong question?
> You didn't say why you're doing this, or what else your firewall setup
> has.  If it's for auditing/eavesdropping, there are certainly other
> ways to do it.  If all three hosts are on the same network, the client
> could simply go directly to realserver.

The main purpose is to facility relocation of a server to a new subnet
with zero downtime while DNS changes propagate. Any client that is still
getting the old IP address should be transparently routed to the new one.
-- 
Adam Rosi-Kessel
http://adam.rosi-kessel.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 250 bytes --]