Henrick,
Thanks a million --
Charles Shick
On Mon, 2003-07-14 at 14:57, Henrik Nordstrom wrote:
> On Monday 14 July 2003 11.05, lartc@manchotnetworks.net wrote:
>
> > I think that I will try the kernel patch as we have are short on
> > addresses and I think that it would better suit our needs.
> > Bizarrily, I couldn't find a url to download the patch -- can you
> > suggest one?
>
> The TPROXY patch is part of Netfilter Patch-O-Matic last time I
> looked. I think there is a homepage somewhere also..
>
> Note that you also need to patch Squid to use this feature.
>
>
> Note: In the NAT approach you do not need to use real addresses.
> Virtual private addresses works just fine. These addresses are just
> used between Squid and the NAT engine. To reproduce the exact same
> effect as TPROXY you configure Squid like this:
>
> 1. Create a set of virtual private addresses on the Squid server, as
> many as you have clients.
>
> 2. Set up squid.conf tcp_outgoing_address to assign proper private
> address for each client.
>
> 3. Use iptables -t nat -A OUTPUT -j SNAT ... to NAT the private
> addresses back to the clients real addresses.
>
>
> This approach, just as TPROXY, requires the Squid server to be the
> router/gateway of all your Internet traffic. Using the clients
> address as source address will never work if the return traffic for
> these addresses is not routed via the same point in the network.
>
> Regards
> Henrik
>
> --
> Donations welcome if you consider my Free Squid support helpful.
> https://www.paypal.com/xclick/business=hno%40squid-cache.org
>
> If you need commercial Squid support or cost effective Squid or
> firewall appliances please refer to MARA Systems AB, Sweden
> http://www.marasystems.com/, info@marasystems.com
Received on Tue Jul 15 2003 - 02:00:47 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:59 MST