18

Okay, it may be because I am dense or maybe just not finding the right source, but I can't understand why one of these IPTABLES setups would be better than the other.

Here is my setup:

I have a box that is serving as a transparent proxy and a router or sorts. It has two interfaces on it, ETH0 and ETH1, and the following address scheme:

ETH0 = DHCP ETH1 = 192.168.5.1/24 serving up DHCP for the 192.168.5.0/24 network to clients behind it in the LAN

I have privoxy installed and listening on port 8080 as a transparent proxy. What I am accomplishing with this setup is to be able to drop this box into an existing network with minimal configuration and attached clients to the proxy.

Here is my original IPTABLES file

*nat
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
COMMIT

This configuration works fine and traffic is flowing back and forth without issue. I get the originating clients IP address in the privoxy logfiles, and life is good.

My confusion comes in when I start looking at other people's configurations and see that they are using DNAT instead of REDIRECT, and I am trying to understand the real beneift of one over the other. Here is a sample config:

*nat
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.5.1:8080
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
COMMIT

Again, this configuration works too, and gives me all I need from a logging perspective...

Which is is right, or maybe MORE right, than the other one?

Thanks for taking time to read this far...

QWade
  • 877
  • 1
  • 11
  • 17

2 Answers2

19

REDIRECT alters the destination IP address to send to the machine itself. In other words, locally generated packets are mapped to the 127.0.0.1 address. It's for redirecting local packets. If you only want to redirect the traffic between services on the local machine, it will be a good choice.

DNAT is actual Network Address Translation. If you want packets destinated outside of the local system to have the destination altered, it's the better choice of the two, as REDIRECT will not work.

Warner
  • 23,440
  • 2
  • 57
  • 69
  • okay, so if I have a client sitting behind the proxy, say on 192.168.5.234, and I want to "process" its HTTP requests through the proxy on 192.168.5.1, you are suggesting that I should DNAT outbound port 80 traffic to 192.168.5.1:8080 on the proxy. I can buy that, but WHY???? Is it something to do with how the traffic is handled once it leaves the proxy's ETH0 on its way out through the default gateway to the Internet? I need to grok this or my head will explode – QWade Sep 08 '10 at 14:47
  • 2
    DNAT changes the address as the packet passes through the firewall so that it arrives at the desidered host, and on the reverse appears to have come from the firewall. DNAT almost never applies to outbound traffic, which is handled by the MASQUERADE rule. It the privproxy was on an another host, then DNAT would be appropriate, with an appropriate exception for that host. – BillThor Sep 08 '10 at 16:28
  • Bill, thank you. That is where my reptilian brain was going, but is it always nice to have validation. So if I send a packet destined for http://www.google.com from 192.168.5.234 and it has its default gw set as 192.168.5.1 (eth1 on the proxy), I should "REDIRECT" that packet to port 8080 on the proxy and let privoxy do the rest. The reason for this is because privoxy lives on 192.168.5.1 and not on another host. Am I smoking something I shouldn't? – QWade Sep 08 '10 at 16:52
14

REDIRECT does alter the destination IP address to send to the machine itself as answered by Warner@. But I'd say that answer is not totally correct, or a bit misleading.

REDIRECT is not just for redirecting local packets. It is really DNAT in which the destination IP address to use is implicit, 127.0.0.1 if it is a local packet or the machine interface's IP address otherwise, 192.168.5.1 in the case of the OP.

So in this question, no matter what the final destination, the packets should first reach the proxy, so REDIRECT is perfectly suited.

Since with REDIRECT you don't need to specify the IP address, it will just take the right one, it has some advantages over DNAT:

  • If the machine's IP address changes for any reason you don't need to modify your rules, and in particular DNAT will not work for DHCP-controlled interfaces.

  • You can write and maintain the same rules for several systems (several proxy instances for example) without keeping different slightly versions because of the specific IP addresses.

Hod
  • 103
  • 3
Julio Diez
  • 141
  • 1
  • 3
  • somehow like snat/masquerade. – Jichao Jul 18 '19 at 03:10
  • 2
    @Hod, I hear REDIRECT is a special case of DNAT, but I use REDIRECT and TOR knows the actual destination of a packet, so I conclude daddr and dport of iphdr and tcphdr structures are intact, and the packet just returned to REDIRECT destination by kernel. DNAT will actually modify the structures. Am I wrong? – wick Sep 22 '19 at 10:58