My requirement is to have a transparent proxy in some sense: the TCP packets
should be proxied by box A to a server on box B, and back from B to the
client (via A I guess). The server on box B should see the original IP
address of the client. When I do SNAT on A, the original IP becomes
invisible for box B, which is not acceptable for my application.
Is there a way to do this without using squid, with iptables and iproute2
tools only?
I have the following (simplified) network topology:
WAN ----- BOX A ----- LAN ------ BOX B ------ WAN
Assuming that BOX A has WAN ip 1.2.3.4, LAN ip 10.0.0.1 and BOX B has LAN ip
10.0.0.2 and the clients connect to port 5224 on box A, this is what I have
tried:
On box A:
# iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 5224 -j
DNAT --to-destination 10.0.0.2:5224
On box B, I can verify that the SYN packets containing the original client
ip are received via LAN interface. The server on B is listening on
10.0.0.2:5224.
I tried to route the response from this server back to A:
On B:
# ip rule ls
0: from all lookup local
32764: from 10.0.0.2 lookup 3
32766: from all lookup main
32767: from all lookup default
# ip route ls table 3
default via 10.0.0.1 dev eth1
My problem is that I cannot see response (ACK) packets from the server on B
anywhere- neither on A, nor even on B. I suspect the problem is incorrect
routing on B, but I do not know how to capture the outbound packets before
routing?
What am I doing wrong?
