On Tue, Mar 14, 2017 at 11:36 AM, André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@xxxxxxxx> wrote: > Maybe better word for most people would be "final destination" , and not real . > ( but real is the actually the "real" destination for THAT rule where clients will be sent , > not the actual target the client originally tried to reach and "think" it is still reaching ) > > For the termination I would say yes , because "you" decide where it terminates so if you are asking I will > assume you are using an out of the box PROXY which would typically make new connections in the "backend" from its own source IP . > Hi André , Thanks for the reply. I understand from your reply that REDIRECT rule for the destination port will change the destination port, so that the real destination(="final destination") is in the packet header (and there is no memory for the original destination any where else). Thanks, Ran > > Best regards > André Paulsberg-Csibi > Senior Network Engineer > Fault Handling > IBM Services AS > andre.paulsberg-csibi@xxxxxxxx > M +47 9070 5988 > > > > -----Original Message----- > From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Ran Shalit > Sent: 14. mars 2017 09:57 > To: netfilter@xxxxxxxxxxxxxxx > Subject: Q: using PREROUTING to change destination > > Hello, > > I am trying to understand how to use rules with PREROUTING and > transparent proxy. > > In documentation it is said: > > "6.2 Destination NAT > > This is done in the PREROUTING chain, just as the packet comes in; > this means that anything else on the Linux box itself (routing, packet > filtering) will see the packet going to its `real' destination. It > also means that the `-i' (incoming interface) option can be used." > > What does `real' destination means here ? Does it mean that the packet > is transfered to the new destination according to the rule given for > PREROUTING ? > for example, In case of transparent proxy : > > iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 --dport 80 -j > DNAT --to 192.168.201.250:3128 > > Does it mean that the transparent proxy will be the end destination of > the packet ? > > I am new with iptables. > > Thank you, > Ran > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
