On 7/6/05, Joost de Heer <sanguis@xs4all.nl> wrote:
> > I just wondering if it is possible to hide ip address
> > from my squid box to destination server. Because I see
> > that some sites are limiting their traffic for certain ip address.
>
> How do you expect the destination server to send back TCP packages if you
> hide the IP address?
>
> Joost
>
>
I think what he wants to do is to masquerade the requests from the
squid proxy server IP to the client's IPs.
There is a patch for the Linux Kernel (tproxy) but I do not use Linux.
Following advise form Henrik Nordström, I used tcp_outgoing_address
and NAT to masquerade the requests.
client IP -> squid -> squid sets tcp_outgoing_address to private IP
NAT masquerades private IP to client IP -> internet
here is how it worked for a friend of mine.
NAT must use bidirectional mapping (1:1 mapping)
eg: client 1 public IP 1.2.3.1 bimaped to private IP 10.0.0.1
NAT must be done on the external interface (the one connecting squid
to the gateway/router)
We used FreeBSD and tested IPFILTER/IPNAT
example ipnat.conf
bimap $ext_if from 10.0.0.1/32 to 0.0.0.0/0 port = 80 -> 1.2.3.1/32
bimap $ext_if from 10.0.0.2/32 to 0.0.0.0/0 port = 80 -> 1.2.3.2/32
bimap $ext_if from 10.0.0.3/32 to 0.0.0.0/0 port = 80 -> 1.2.3.3/32
-----
Used the loopback interface to create the aliases for private IPs.
The alias netmask must be set to 255.255.255.255 to avoid conflicts
exampe:
ifconfig lo0 inet 10.0.0.1 netmask 0xffffffff alias
ifconfig lo0 inet 10.0.0.2 netmask 0xffffffff alias
ifconfig lo0 inet 10.0.0.3 netmask 0xffffffff alias
-----
edit squid.conf and
# to hide the proxy connection
header_access Via deny all
header_access X-Forwarded-For deny all
# insert acl for each client
acl Client1 src 1.2.3.1
acl Client2 src 1.2.3.2
acl Client3 src 1.2.3.3
# set tcp_outgoing_address to private IP for each Client
tcp_outgoing_address 10.0.0.1 Cleint1
tcp_outgoing_address 10.0.0.2 Cleint2
tcp_outgoing_address 10.0.0.3 Cleint3
-----
I hope this helps !!!
-- Regards. Abu KhaledReceived on Wed Jul 06 2005 - 19:45:28 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Aug 01 2005 - 12:00:02 MDT