Bas van Sisseren a écrit : > > On 16/07/10 14:42, Pascal Hambourg wrote: >> >> 2) I wonder whether it is really useful. The purpose of REDIRECT is to >> make sure a packet is redirected to the local machine itself without the >> need to care about the machine's address (just as MASQUERADE). If you >> don't want to change the destination address or need finer control over >> it, I believe DNAT can be used instead. Can you provide a use case ? > > It's a honeypot system with advanced routing and a lot of ip-addresses. The > honeypot is running as non-root, which complicates usage of ports < 1024. > The REDIRECT rule helps us to redirect the connection to higher > port-numbers. With REDIRECT, we can request the original dst ip:port with > the SO_ORIG_DST sockopt. With DNAT the SO_ORIG_DST is not available. Do you mean SO_ORIGINAL_DST ? I'm surprised it does not work with DNAT. AFAICS, it uses data from the connection tracking, and it does not matter how the NAT mapping was created. >> 3) Why restrict only to the addresses attached to the receiving >> interface ? Why not extend to any address attached to a host's >> interface, or even any local address (such as the whole 127.0.0.0/8 >> prefix) ? > > I don't see any use for that. :-) Well, I think it would be more consistent with the Linux "weak" host model (all local addresses belong globally to the host instead of a single interface) ; we want to redirect a packet to the local host, so if the original destination address is already a local address, we don't need to change it. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
