Henrik Nordstrom <hno@hem.passagen.se> wrote:
> Andy Zbikowski wrote:
>
>> So let's see, from ideas into iptalbes...
>> iptables -t nat -A PREROUTING -i eth1 -p tcp -s squid.box --dport 80 -j
>> FORWARD
>> iptables -t nat -A PREROUTING -i eth1 -p tcp -s ! squid.box --dport 80 -j
>> REDIRECT --to squid.box --to-port 3128
>
> Don't use NAT, use advanced routing. NAT (-j REDIRECT is a form of NAT)
> will destroy important information required by the proxy.
>
> The REDIRECT rule should only be used on the proxy box itself.
Henrik, this should be in the FAQ. Actually I did the same as Andy and
it seemed to work - but as you said, this may break in a subtle way.
Actually I never heard before of doing transparent proxying with advanced
routing, but it sounds very reasonable. So, please put it in the FAQ (or
be so kind and forward it to the maintainer).
Thanks,
Juri
[SNIP]
>> Anyway, the question is, does this have any chance of working, if so, am I
>> on the right track with my iptables rules?
>
> The above should work partially, but some applications may have trouble
> because of NAT destroying the destination address before the request
> reaches the proxy.
-- Juri Haberland <juri@koschikode.com>Received on Sat Jun 30 2001 - 06:27:42 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:53 MST