[squid-users] Re: [SQU] Transparent proxying with spoof'd outbound packets from cache

From: Henrik Nordstrom <[email protected]>
Date: 06 Feb 2003 14:24:32 +0100

You need to

1. Use Linux-2.2 (not 2.4)

2. Hack the kernel to allow non-root applications to bind sockets to
non-local addresses.

3. Modify Squid to bind the socket to the client address prior to making
the connection to the origin server.

4. Make sure that everything is routed via the Squid box in both
directions, and that there is no TCP/IP conflicts between the spoofed
traffic and other routed traffic.

Alternative to 1+2 you might be able to use Linux-2.4 with the
transparent proxy netfilter extension.

Before you even think about doing any of this, carefully consider the
effects on TCP/IP of having the same IP address on multiple stations,
and how you will manage routing and other services in such network. This
is not a trivial thing which should be done lightly as it massively
violates the foundations of TCP/IP networking.

Regards
Henrik

tor 2003-02-06 klockan 23.21 skrev Oren Bartal:
> Henrik Nordstrom wrote:
> > True, and I know that at least one person have done it with a
> sligthly
> > hacked Linux version (some root-only permission checks removed)
> combined
> > with a equally slightly hacked Squid version..
>
> Hi,
> I'm trying to do exactly the same thing, can you direct me to that
> person or point out somewhere that can help me implement this exact
> thing?
>
> Thanks!

-- 
Henrik Nordstrom <hno@marasystems.com>
MARA Systems AB
Received on Thu Feb 06 2003 - 06:24:40 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:16 MST