Re: Transparent proxies and binding to foreign addresses

Julio Sánchez Fernández (j_sanchez@stl.es)
Wed, 01 Aug 2001 08:54:46 +0200

Nerijus Baliunas wrote:
>
> On 27 Jul 2001 09:16:58 +0200 Julio Sanchez Fernandez <j_sanchez@stl.es> wrote:
>
> JSF> And as long as you don't care what origin address the server sees,
> JSF> that's alright. But all connections now seem to come from the proxy.
> JSF> And that does not let you do things like differentiated services,
> JSF> access control or audit. Even user support becomes a mess.
>
> Do you mean that even if I adapt them as you say, the receiving end will see
> connection orriginating from the proxy instead of the real address?

Precisely. The bind-to-foreign-address will usually fail. If you set
/proc/sys/net/ipv4/ip_nonlocal_bind to "1", then the bind will succeed but
when you connect it will fail immedaiately or not work (I have not checked
the exact behaviour and I am still digging in the code).

> I'm asking as these 2 port forwarders I tried work with 2.4 kernel in non-transparent
> mode, i.e. connections seem to come from the proxy, what I need is connection
> to be seen to come from real originating IP.

So do I. If you are the daring type, I suggest you track the netfilter-devel
mail list (start from http://lists.samba.org/mailman/listinfo/netfilter-devel)
where some discussion has happened in July. If you are not, I am afraid you
will have to stay at 2.2.x for the time being.

Julio
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/