Linux routing fun
Ben Scott
dragonhawk at gmail.com
Tue Oct 9 14:33:38 EDT 2007
On 10/9/07, Brian <brk-gnhlug at karas.net> wrote:
> However, all the outbound connections seem to originate from the
> lowest numbered IP on the /28 subnet.
Right. Unless a program takes explicit action to bind its socket to
a particular IP address, the kernel router will choose the source IP
address for it. (Generally, the kernel will pick the IP address of
the interface "closest" (in terms of the kernel IP routing table) to
the destination.)
I'm not sure if Thomas Charron's suggestion of ProxySourceAddress
will work for your needs either. It would depend on how
ProxySourceAddress is implemented. But quite often, such things
specify a global option. So you'll be able to change everyone's
source address to something in particular, but not control the source
address on a client-by-client or connection-by-connection basis. A
quick glance at the patch's code makes me suspect this might be the
case, as it appears to be setting the socket in association with a
"worker" data structure, which I would guess is the worker thread, and
not the proxy client. This is more of a guess than anything else,
though, so you might want to try it anyway.
Assuming my guess is correct, you could work around that by running
a different instance of Apache for each and every IP address, but that
would be seriously ugly.
I believe the Squid HTTP proxy *does* have the capability of
selecting it's own source IP address based on the IP address of the
client (by using the "tcp_outgoing_address" directive in combination
with ACLs). I think you'd need to have an ACL for every possible
source IP address, which is a bit yucky, but should work, I think.
(I've only ever used tcp_outgoing_address without ACL qualification).
It is possible to easily control translation of network addresses in
the kernel NAT layer at the level of detail you require, so if you can
live with network-layer translation rather than an application-level
proxy, that might be a good alternative.
Is there some other problem you're trying to solve here? Some
context might yield some other ideas. :)
-- Ben
More information about the gnhlug-discuss
mailing list