I'm using Qubes OS, a system based on the Xen microkernel, which let you run easily multiple Virtual Machines and compartmentalize your digital life. All the domains are connected by default (through virtual interfaces) to a FirewallVM which is connected to a NetworkVM, the machine wich manages your Network Card and provides the real Internet connectivity.
I was trying to redirect (on the FirewallVM) the DNS requests coming from some domains to a local DNS cache server (instead of the NetworkVM) and I discovered that I have to use DNAT to redirect outside request (coming in from an ApplicationVM through a virtual interface) to localhost, as explained here: iptables redirect outside requests to 127.0.0.1:
iptables -t nat -A PREROUTING -i vifX -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
The point is when I used systems like Debian, without Virtual Machines, for example, to redirect HTTP traffic through a local proxy, like Privoxy (running on 127.0.0.1), I could use REDIRECT:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8118
I can't understand why this doesn't apply in my actual situation, since in both case we are talking about outside packets, coming from the network card in one case and from the virtual interface in the other that need to be redirected to a local port.
Is there any chance this behaviour could be interface specific?
