(forgot to cc it to the list) On Jan 18, 2008 3:07 PM, Peter T. Breuer <ptb@xxxxxxxxxxxxxx> wrote: > > Philip Craig wrote: > > [ptb] > > > There's no "perhaps" in it! That's the problem description. How to get > > > outgoing http requests to distant port 80s to be redirected to a proxy > > > daemon sitting on port 8081 of the LOCAL machine instead. > > > > Then you need the rule in the OUTPUT chain. PREROUTING only sees forwarded > > So PREROUTING = forwarding! I seeeeee. Not "before any routing takes > place", as one might naively have supposed from the name :). > Not really... PRETOURINTG occurs before any routing takes place, and its NOT the same as FORWARD. The reason you have to use OUTPUT there is because you want to be able to redirect connections originating from the localhost. Packets COMMING from localhost DON'T pass throu the PREROUTING chain. Attached you will find a figure that i did that represents how packets traverse the netfilter hooks/chains. Its in Portuguese, but the chains are in english. In the figure the two circles the the top are input and output interfaces (from left to right). The circle at the bottom is a local process that generates packets, and the one in the middle represents the routing decision. Note that packets coming from the localhost (like you said you were doing), never pass through the prerouting chain. Hops this made things clearer for you :) -- Informação & Segurança - Informações para sua segurança na rede. http://info-seg.blogspot.com
Attachment:
netfilter_flow.jpg
Description: JPEG image
