On Thu, Jul 03, 2003 at 02:04:48PM +0000, jan@tegtmeier.de wrote:
why do I need "iptables -t tproxy -A PREROUTING -j TPROXY --on-port" to replace "iptables -t nat -A PREROUTING -j DNAT --to-dest <localip> --to-port <proxyport>"? Where is the difference? Does the TPROXY-thing use the nat-helper modules of netfilter too?
no it doesn't. The basic differences: - no application level helpers are applied in any way - the connection is marked so that '-m tproxy' matches it
For UDP packets another difference is present: - the incoming packet is not conntracked, it is simply one-way NATed to the destination, so the proxy is free to create a new socket with different local port
Added benefit is that proxy rules are separated from NAT rules making the ruleset cleaner.
You say, udp packets are not conntracked - what about the tcp packets?
If they are conntracked, do you see an easy way of preventing this? I'm going to do masquerade the outgoing traffic. The result would be that the connection would be conntracked twice: - once in prerouting chain on the way from the incoming interface to the local proxy and - the 2nd time in the output chain for the masqueading of the local generated proxy connections to the real targets. As no nat is needed for tproxy, the conntracking is not needed too.
NAT _is_ needed as redirection is implemented using NAT. TCP sessions are conntracked and this have to be so. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1