On 29/11/17 02:03, Matus UHLAR - fantomas wrote:
> On 27.11.17 11:24, LINGYUN ZHAO wrote:
>> I need Squid as a real 'transparent' proxy on Fedora without changing 5
>> tuples. Is it possible?
The technical name for an entry in the system NAT table is a 3-tuple or
Though what a "5 tuples" means interests me. There are not 5 IP and port
details in a TCP message. Only two of each.
>> The setup is simple as Client ---------- Fedora --------Server
> is fedora NAT device and also running squid?
>> The Squid version is 3.5.20.The key configuration on Squid as below:
>> http_port 0.0.0.0:3128 transparent
>> acl localnet src 10.0.0.0/24
>> http_access allow localnet
>> And I configured a NAT on Fedora.
>> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
> this only works if "fedora" does the NAT and runs squid.
> (just for sure)
>> When I run curl on Client to server. I found the server receives the
>> traffic with Fedora's IP address and different source port, instead of
>> Client IP address and original source port.
> when you redirect traffic tyo the squid and squid connect to the server,
> it's logical that server sees squid's IP.
Not just logical. That is how NAT works and why "transparent" is such a
wrong way to describe NAT interception.