On Monday 14 July 2003 11.05, lartc@manchotnetworks.net wrote:
> I think that I will try the kernel patch as we have are short on
> addresses and I think that it would better suit our needs.
> Bizarrily, I couldn't find a url to download the patch -- can you
> suggest one?
The TPROXY patch is part of Netfilter Patch-O-Matic last time I
looked. I think there is a homepage somewhere also..
Note that you also need to patch Squid to use this feature.
Note: In the NAT approach you do not need to use real addresses.
Virtual private addresses works just fine. These addresses are just
used between Squid and the NAT engine. To reproduce the exact same
effect as TPROXY you configure Squid like this:
1. Create a set of virtual private addresses on the Squid server, as
many as you have clients.
2. Set up squid.conf tcp_outgoing_address to assign proper private
address for each client.
3. Use iptables -t nat -A OUTPUT -j SNAT ... to NAT the private
addresses back to the clients real addresses.
This approach, just as TPROXY, requires the Squid server to be the
router/gateway of all your Internet traffic. Using the clients
address as source address will never work if the return traffic for
these addresses is not routed via the same point in the network.
Regards
Henrik
-- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, info@marasystems.comReceived on Mon Jul 14 2003 - 06:57:57 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:58 MST