Henrik Nordstrom a �crit:
tis 2003-02-25 klockan 16.12 skrev Fabien Salvi:
I suppose the response to the client *must* use the real destination server IP for IP source address to not be dropped by it ?
So, I suppose I must use NAT in iptables to do this ? Is this possible ?
Yes.
In squid, I thought there was a mecanism to change the IP source address of the reply.
Is this the reallity ?
This is done automatically by the TCP/IP kernel when you configure the host to redirect port 80 to Squid (via NAT). Without it the TCP would not at all operate in transparent interception mode, and Squid is an application ontop of TCP.
The same TCP/IP redirect methods can be used to redirect the traffic to ANY TCP/IP application on the host, or even on a remote server if you prefer. It is just a variant of NAT. The only specific support required in the application is if the application is interested in knowing the originally intended destination (which is not the case in your case).
Ok, thanks a lot Henrik !
These things were a bit "obscure" to me.
Now, I understand. I thought it was a userspace mechanism (like we can fake an IP with sendip or other packet generator) but in fact, it's a kernelspace mechanism...
I've just try this and it works well.
Thanks again.
--
Fabien SALVI Centre de Ressources Informatiques
Archamps, France -- http://www.cri74.org
PingOO GNU/linux distribution : http://www.pingoo.org