Very edifying. Thanks so much for that Amos. While the thread’s going, would you be able to elaborate at all on the “trickery with multiple rules and IPs”? On 23 Oct 2013, at 5:10 pm, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 22/10/2013 2:56 p.m., Dan Charlesworth wrote: >> Hi folks >> >> I've been testing these interception methods (as outlined in the Config Examples) and don't really understand the difference between the two, other than DNAT requiring sysctl changes. >> >> What's the actual functional difference? > > Iptable DNAT target changes the destination IP:port of packets to the configured values. That is all. > * It is generic destination-NAT and the changed packets may leave the machine and travel out over the network with the new values. (This is a useless property to Squid). > * It is a static IP:port NAT mapping, which may benefit if DNAT is an option and you want a few more packets per second through the box. > > > Itables REDIRECT target automatically selects the primary global IP address of the box _at the time when the connection was opened_ and changes the destination IP:port of packets to that IP and the configured port. > * It is restricted to sending traffic to the local box (Squid requires local-machine NAT anyway so no gain/loss there). > * It is a dynamic IP:port mapping (so the machine it is used on can be auto-configured with a new IP as often as you like without reconfiguring NAT or the proxy.) > * It is slightly slower than DNAT because of the machine IP lookup > > Also, count of connections intercepted is limited to 64K on both due to IP address only having 64K ports (even if you have traffic arriving on a secondary IP and NAT'ed to primary IP:port). But you can avoid that with DNAT using a little trickery with multiple rules and IPs. REDIRECT is stuck with the machine primary IP whatever you do. > > >> What's a real-world type of scenario where I might pick one over the other? > > If you have statically assigned IP on the Squid box then DNAT is the better choice, but either will do and REDIRET is somewhat simpler to "set and forget". > > If you Squid box is dynamically assigned IP. Then REDIRECT is the only option for reliable NAT interception. DNAT in this case would simply stop working on every IP update. > > Amos