On Thu, Jul 03, 2003 at 11:15:08AM +0000, jan@tegtmeier.de wrote:
Hi,
why do I need "iptables -t tproxy -A PREROUTING -j TPROXY --on-port" to replace "iptables -t nat -A PREROUTING -j DNAT --to-dest <localip> --to-port <proxyport>"? Where is the difference? Does the TPROXY-thing use the nat-helper modules of netfilter too?
no it doesn't. The basic differences: - no application level helpers are applied in any way - the connection is marked so that '-m tproxy' matches it For UDP packets another difference is present: - the incoming packet is not conntracked, it is simply one-way NATed to the destination, so the proxy is free to create a new socket with different local port Added benefit is that proxy rules are separated from NAT rules making the ruleset cleaner. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1