On Tue, Mar 14, 2017 at 1:29 PM, Robert White <rwhite@xxxxxxxxx> wrote: > On 03/14/17 09:56, Ran Shalit wrote: >> >> I understand from your reply that REDIRECT rule for the destination >> port will change the destination port, so that the real >> destination(="final destination") is in the packet header (and there >> is no memory for the original destination any where else). > > > REDIRECT is totally different from DNAT. Destination Network Address > Translation sends the packet off to a different machine (well IP address, > which could be another address on the current machine but that's _super_ > _rare_) so one might DNAT some packets arriving on your firewall through to > your Web Server, and others over to your XBox witch is clearly never the > same machine as your firewall. > > REDIRECT says "this service is here on the firewall, but at a different port > than this packet thinks it would be. > > Here's a REDIRECT example. > > I want to run a web server. I decide to run it on the firewall. I don't want > the WebServer processes to be run as root because if someone breaks into the > WebServer I don't want them to have any special root privileges. A process > needs to be a root process to take over port eighty because its less than > port 1024. > > So now what? > > Well I create the web server user with no dangerous privilege and tell it to > use an unprivileged port (typically 8080). > > Then... > > iptables --table nat --append PREROUTING --protocol tcp --dport 80 --jump > REDIRECT --to-port 8080 > > So the web server user can now open and close 8080 as needed with Just Plain > User™ rights, and I don't have to tell the entire world to use 8080 instead > of the default. > > And again the connection tracking system is going to do all the translations > automagically for the connections after you DNAT, SNAT, or REDIRECT the > first packet. So if you do a "iptables --table nat --list --verbose" the > packet count is more-or-less the 'new connections' or 'new flows' count for > the rule. The connection tracker keeps the necessary records of what's been > changed for what so that you don't have to think about that part of this at > all (in most settings). > > > Again, saying/spelling the whole long-form arguments out is very helpful in > picking all this skill set up more quickly. > > --Rob Rob, Thanks a lot. It is much more clear to me now. Ran -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
