"Jean-Michel Hemstedt" <[EMAIL PROTECTED]> wrote: >=> goal:
>3) for both: keep the source ip addresses of the clients > in the modified forwarded packets, so that the proxy > can do simple source based authentication (possibly > with the collaboration of exteral elements such as > radius, but athentication is out of scope here). Assuming that a "user-level gateway" is an option, the patch/hack for IP_NONLOCAL_CONNECT posted to linux-kernel by Alexey Kuznetsov (http://www.uwsg.iu.edu/hypermail/linux/kernel/0109.0/0474.html) seems to work. --Per Hedeland [EMAIL PROTECTED]