From 1018fbca115403bbd7cf5960036b7976c0c0e76f Mon Sep 17 00:00:00 2001
From: "W. Trevor King" <wking@tremily.us>
Date: Fri, 21 Feb 2014 11:08:59 -0800
Subject: [PATCH] README: Document tranparent proxy setup

---
 README | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/README b/README
index 1a8f3fa..6a0d1c3 100644
--- a/README
+++ b/README
@@ -59,6 +59,31 @@ Portage_, that's going to be something like:
 
 in your ``/etc/portage/make.conf``.
 
+If you *don't* want to tweak your clients (perhaps there are many of
+them, or they are out of your direct control), you can add some
+firewall rules to your router to transparently proxy specific Gentoo
+mirrors.  With an internal ``eth1`` and an internal proxy on
+192.168.0.11, that looks something like::
+
+  # CACHE_IP=192.168.0.11
+  # for SOURCE_IP in $(dig +short distfiles.gentoo.org);
+  > do
+  >   iptables --table nat --append PREROUTING --protocol tcp \
+  >     --in-interface eth1 ! --source "${CACHE_IP}" \
+  >     --destination "${SOURCE_IP}" \
+  >     --match tcp --destination-port 80 \
+  >     --jump DNAT --to-destination "${CACHE_IP}:4000" ;
+  > done
+
+To remove those entries later, repeat the command with ``--delete``
+instead of ``--append``.  You may need to list the ``SOURCE_IP`` values
+explicitly if the DNS entries have changed.  Run::
+
+  # iptables --table nat --list PREROUTING --numeric
+
+to list the entries.  See ``iptables(8)`` and
+``iptables-extensions(8)`` for more details.
+
 .. _Gentoo's distfiles:
   https://wiki.gentoo.org/wiki/Project:Infrastructure/Source_mirrors
 .. _Cache-Control headers:
-- 
2.26.2