TPROXY and original dest address question
Thu, 28 Mar 2002 16:39:51 +0100
Thanks. Explains it quite well.
So there is yet another state table involved here.
Now I am a little confused. What exacly is it that makes this new state table
better suited for the job than conntrack?
Balazs Scheidler wrote:
> Yes, sorry. There's a translation table in TPROXY independent from the
> tproxy iptables table.
> The rules are in the iptables table called 'tproxy', and contains one
> transparent proxy rule for each service needed.
> As a connection is established, a new entry is added to the translation
> table with: remote addr/remote port, original dest/original port, local
> dest/local port.
> Then both the prerouting and the local output hooks perform translation of
> the packet flow according to the translation table.
> In a sence this table is similar to the conntrack tables, with the
> exception that the primary focus is to assign packet endpoints with local
> sockets, identified by their own IP/port pair.
> Thus the connection between a redirected session and a local socket is not
> the socket layer, but this translation table, therefore no packet with
> foreign IP address enter the networking core.