[tproxy] Re: Difference between DNAT and TPROXY

[jan@tegtmeier.de]

>> why do I need "iptables -t tproxy -A PREROUTING -j TPROXY
>> --on-port" to replace "iptables -t nat -A PREROUTING -j DNAT
>> --to-dest <localip> --to-port <proxyport>"?
>> Where is the difference? Does the TPROXY-thing use the
>> nat-helper modules of netfilter too? 
> 
> no it doesn't. The basic differences:
> - no application level helpers are applied in any way
> - the connection is marked so that '-m tproxy' matches it 
> 
> For UDP packets another difference is present:
> - the incoming packet is not conntracked, it is simply
>   one-way NATed to the destination, so the proxy is free
>    to create a new socket with different local port 
> 
> Added benefit is that proxy rules are separated from NAT rules making the
> ruleset cleaner.

You say, udp packets are not conntracked - what about the tcp packets? 

If they are conntracked, do you see an easy way of preventing this? I'm
going to do masquerade the outgoing traffic. The result would be that the
connection would be conntracked twice:
 - once in prerouting chain on the way from the incoming interface to
 the local proxy and
 - the 2nd time in the output chain for the masqueading of the local
 generated proxy connections to the real targets.
As no nat is needed for tproxy, the conntracking is not needed too. 

/jan