[tproxy] Difference between DNAT and TPROXY

Balazs Scheidler bazsi@balabit.hu
Thu, 3 Jul 2003 14:25:07 +0200

On Thu, Jul 03, 2003 at 11:15:08AM +0000, jan@tegtmeier.de wrote:
> Hi,
> why do I need "iptables -t tproxy -A PREROUTING -j TPROXY --on-port" to 
> replace "iptables -t nat -A PREROUTING -j DNAT --to-dest <localip> 
> --to-port <proxyport>"? Where is the difference? Does the TPROXY-thing use 
> the nat-helper modules of netfilter too? 

no it doesn't. The basic differences:
- no application level helpers are applied in any way
- the connection is marked so that '-m tproxy' matches it

For UDP packets another difference is present:
- the incoming packet is not conntracked, it is simply one-way NATed to the
  destination, so the proxy is free to create a new socket with different
  local port

Added benefit is that proxy rules are separated from NAT rules making the
ruleset cleaner.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1