Probably. In that case you set use iptables to do the DNAT operation and
rewrite the destination address of inbound connections to be the address:port
of an ATS proxy port.
The problem would be in the routing. You would likely need additional support
from an external router. Consider an origin server with address A. The external
router would need to route packets to A from user agents to the ATS box, but
packets to A from the ATS box out to the internet. That is, some sort of policy
or topology based routing (e.g. if the user agents and ATS are on distinct
interfaces on the external router then you can do this easily).
On Thursday, June 25, 2015 1:59 PM, Jason Strongman
<[email protected]> wrote:
Alan,
In your transparency PDF you mention another 'transparency' approach
using NAT. I think the OP can use
his ATS server with a single interface if some inline device performs
a DNAT on the request(s) in question.
I think you mentioned this approach if one didnt want to mess with the
whole kernel TPROXY stuff.
Also per your notes, this only satisfies inbound transparency and
removes the ability for ATS to use the client resolved origin address.
On Sun, Apr 12, 2015 at 3:24 PM, Alan M. Carroll
<[email protected]> wrote:
> I'm not sure you can do this. The essence is packets with the same IP
> addresses that need to be delivered to different VLAN ports. Let's say your
> user agent is address A and the origin server is address S. When the user
> agent sends a packet, it is A -> S. This is intercepted by ATS and then when
> it wants to connect to the origin server it will send a packet A -> S and
> this packet needs to flow out to the Internet, not be intercepted by ATS
> again. If you have a router you can do this by doing policy routing based on
> which interface handled the packet. With just a switch I'm not sure you an
> distinguish the packets sufficiently.
>
> I've never tried do that and I don't know anyone who has, so I have to just
> guess.
>
