[tproxy] Difference between DNAT and TPROXY
Balazs Scheidler
bazsi@balabit.hu
Thu, 3 Jul 2003 14:25:07 +0200
On Thu, Jul 03, 2003 at 11:15:08AM +0000, jan@tegtmeier.de wrote:
> Hi,
>
> why do I need "iptables -t tproxy -A PREROUTING -j TPROXY --on-port" to
> replace "iptables -t nat -A PREROUTING -j DNAT --to-dest <localip>
> --to-port <proxyport>"? Where is the difference? Does the TPROXY-thing use
> the nat-helper modules of netfilter too?
no it doesn't. The basic differences:
- no application level helpers are applied in any way
- the connection is marked so that '-m tproxy' matches it
For UDP packets another difference is present:
- the incoming packet is not conntracked, it is simply one-way NATed to the
destination, so the proxy is free to create a new socket with different
local port
Added benefit is that proxy rules are separated from NAT rules making the
ruleset cleaner.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1