From: "Antonio Augusto (Mancha)" <mkhaos7@gmail.com>
To: ptb@inv.it.uc3m.es
Cc: netfilter@vger.kernel.org
Subject: Re: [help] modern iptables rule for transproxy
Date: Fri, 18 Jan 2008 15:59:00 -0300 [thread overview]
Message-ID: <4c6e034d0801181059v16a4cfa8o48c7dfe9c178e13a@mail.gmail.com> (raw)
In-Reply-To: <200801181807.m0II78NV022087@betty.it.uc3m.es>
[-- Attachment #1: Type: text/plain, Size: 1551 bytes --]
(forgot to cc it to the list)
On Jan 18, 2008 3:07 PM, Peter T. Breuer <ptb@inv.it.uc3m.es> wrote:
>
> Philip Craig wrote:
> > [ptb]
> > > There's no "perhaps" in it! That's the problem description. How to get
> > > outgoing http requests to distant port 80s to be redirected to a proxy
> > > daemon sitting on port 8081 of the LOCAL machine instead.
> >
> > Then you need the rule in the OUTPUT chain. PREROUTING only sees forwarded
>
> So PREROUTING = forwarding! I seeeeee. Not "before any routing takes
> place", as one might naively have supposed from the name :).
>
Not really... PRETOURINTG occurs before any routing takes place, and
its NOT the same as FORWARD.
The reason you have to use OUTPUT there is because you want to be
able to redirect connections originating from the localhost. Packets
COMMING from localhost DON'T pass throu the PREROUTING chain.
Attached you will find a figure that i did that represents how packets
traverse the netfilter hooks/chains.
Its in Portuguese, but the chains are in english.
In the figure the two circles the the top are input and output
interfaces (from left to right).
The circle at the bottom is a local process that generates packets,
and the one in the middle represents the routing decision.
Note that packets coming from the localhost (like you said you were
doing), never pass through the prerouting chain.
Hops this made things clearer for you :)
--
Informação & Segurança - Informações para sua segurança na rede.
http://info-seg.blogspot.com
[-- Attachment #2: netfilter_flow.jpg --]
[-- Type: image/jpeg, Size: 41164 bytes --]
next prev parent reply other threads:[~2008-01-18 18:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-18 18:07 [help] modern iptables rule for transproxy Peter T. Breuer
2008-01-18 18:59 ` Antonio Augusto (Mancha) [this message]
2008-01-21 0:48 ` Philip Craig
-- strict thread matches above, loose matches on Subject: below --
2008-01-15 19:33 Peter T. Breuer
2008-01-15 23:55 ` Philip Craig
2008-01-12 10:59 Peter T. Breuer
2008-01-12 14:38 ` Gonzalo Arana
2008-01-12 14:58 ` James Lay
2008-01-10 16:02 Peter T. Breuer
2008-01-11 3:30 ` Amos Jeffries
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4c6e034d0801181059v16a4cfa8o48c7dfe9c178e13a@mail.gmail.com \
--to=mkhaos7@gmail.com \
--cc=netfilter@vger.kernel.org \
--cc=ptb@inv.it.uc3m.es \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox