What does the redirect target in detail?

What does the redirect target in detail?

[Sebastian Roemer]

Hi,

I'm desperately looking for an explanation on the redirect target.
In what way does it influence the traversing order of packages through 
the tables/chains or is it out of reach for netfilter as soon as it hits REDIRECT?
If not, how does the packages look like in the following tables/chains,
is the source and destination address modified?
Or is it handeled internally like the MARKs, meaning that a redirected
package reaches its modified destination unspoiled?



Thanks for your help

Sebastian R.

Re: What does the redirect target in detail?

[Jorge Dávila]

http://iptables-tutorial.frozentutx.net/

On Fri, Feb 20, 2009 at 6:27 PM, Sebastian Roemer <tengaman@wolke7.net> wrote:
> Hi,
>
> I'm desperately looking for an explanation on the redirect target.
> In what way does it influence the traversing order of packages through
> the tables/chains or is it out of reach for netfilter as soon as it hits REDIRECT?
> If not, how does the packages look like in the following tables/chains,
> is the source and destination address modified?
> Or is it handeled internally like the MARKs, meaning that a redirected
> package reaches its modified destination unspoiled?
>
>
>
> Thanks for your help
>
> Sebastian R.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>



-- 
Jorge Isaac Dávila López
+505 430 5462
jorgedavilalopez@gmail.com

But how then does a transparent proxy works?

[Sebastian R.]

Thanks,

but I still don't understand how this makes any sense whith regards to
a transparent proxy configuration.
From the tutorial:
>Locally generated packets are mapped to the 127.0.0.1 address. In other
>words, this rewrites the destination address to our own host for packets
>that are forwarded, or something alike.
>iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
The proxy couldn't tell where the package was destined for, if the
destination address was mapped to 127.0.0.1.


Thanks for your time

Sebastian R.

[SOLVED] But how then does a transparent proxy works?

[Sebastian Roemer]

I've found some hints

http://tldp.org/HOWTO/TransparentProxy-4.html:
>The reason is that the mechanism by which the process determines the
>original destination address has changed from linux 2.2, and only
>squid-2.4 has this new code in it. (For those of you who are interested,
>previously the getsockname() call was hacked to provide the original
>destination address, but now the call is getsockopt() with a level of
>SOL_IP and an option of SO_ORIGINAL_DST). 

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy:
>You can usually manually configure browsers to connect to the IP address
>and port which you have specified as intercepted. The only drawback is
>that there will be a very slight (and probably unnoticeable) performance
>hit as a syscall done to see if the connection is intercepted. If no
>interception state is found it is processed just like a normal
>connection.

Thanks for your patience
Sebastian R.