[tproxy] Re: Difference between DNAT and TPROXY

Balazs Scheidler bazsi@balabit.hu
Thu, 3 Jul 2003 16:12:10 +0200

On Thu, Jul 03, 2003 at 02:04:48PM +0000, jan@tegtmeier.de wrote:
> >>why do I need "iptables -t tproxy -A PREROUTING -j TPROXY
> >>--on-port" to replace "iptables -t nat -A PREROUTING -j DNAT
> >>--to-dest <localip> --to-port <proxyport>"?
> >>Where is the difference? Does the TPROXY-thing use the
> >>nat-helper modules of netfilter too? 
> >
> >no it doesn't. The basic differences:
> >- no application level helpers are applied in any way
> >- the connection is marked so that '-m tproxy' matches it 
> >
> >For UDP packets another difference is present:
> >- the incoming packet is not conntracked, it is simply
> >  one-way NATed to the destination, so the proxy is free
> >   to create a new socket with different local port 
> >
> >Added benefit is that proxy rules are separated from NAT rules making the
> >ruleset cleaner.
> You say, udp packets are not conntracked - what about the tcp packets? 
> If they are conntracked, do you see an easy way of preventing this? I'm
> going to do masquerade the outgoing traffic. The result would be that the
> connection would be conntracked twice:
> - once in prerouting chain on the way from the incoming interface to
> the local proxy and
> - the 2nd time in the output chain for the masqueading of the local
> generated proxy connections to the real targets.
> As no nat is needed for tproxy, the conntracking is not needed too. 

NAT _is_ needed as redirection is implemented using NAT. TCP sessions are
conntracked and this have to be so.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1