What does iptables -j REDIRECT *actually* do to packet headers?How does a transparent SOCKS proxy know which...
How could an animal "smell" carbon monoxide?
''Habitable'' planet close to a star
My credit card has no magnetic stripe. Is this a problem in the USA?
Kepler space telescope undetected planets
What is the word for "event executor"?
Why do so many pure math PhD students drop out or leave academia, compared to applied mathematics PhDs?
What is the difference between a Hosaka, Ono-Sendai, and a "deck"?
Is straight-up writing someone's opinions telling?
Sending a photo of my bank account card to the future employer
How to honestly answer questions from a girlfriend like "How did you find this place" without giving the impression I'm always talking about my exes?
Create Array from list of indices/values
What would be the safest way to drop thousands of small, hard objects from a typical, high wing, GA airplane?
Cauchy reals and Dedekind reals satisfy "the same mathematical theorems"
Is this Android phone Android 9.0 or Android 6.0?
What details should I consider before agreeing for part of my salary to be 'retained' by employer?
Why did Steve Rogers choose this character in Endgame?
A verb to describe specific positioning of three layers
Wordplay addition paradox
How possible is a successful landing just with 1 wing?
Random piece of plastic
Increasing muscle power without increasing volume
Why doesn't philosophy have higher standards for its arguments?
Does inertia keep a rotating object rotating forever, or something else?
Was Apollo 13 radio blackout on reentry longer than expected?
What does iptables -j REDIRECT *actually* do to packet headers?
How does a transparent SOCKS proxy know which destination IP to use?TOR Transparent Proxy - How does to the TCP redirecting workiptables REDIRECT in combination with matching on interface vs. IP addressRedirect ALL packets from eth1 & eth2 through a SOCKS proxyHow does a transparent SOCKS proxy know which destination IP to use?On a router, what decides if a packet should be forwarded or directed into the router itself?Alter DST port on bridged trafficFreeBSD load balancer implementationSymmetric NAT implementation with incremental source port? (software/OS or hardware router)iptables - 2 Internetprovider - routingLocal port forwarding using iptables is not working
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
Out of curiosity I'm reading some tutorials about transparent TOR proxies as it's quite interesting topic from a networking standpoint. As opposed to VPN gateways which just use tun/tap interfaces and are totally clear to me, TOR proxy uses a single port. All tutorials repeat the magic line:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
where eth0 is the input (LAN) interface and 9040 is some TOR port. The thing is, I completely don't get why such a thing makes sense at all from networking standpoint.
According to my understanding of redirect / dst-nat chains and how it seems to work in physical routers, dst-nat chain takes dst-port and dst-addr BEFORE routing decision is taken and changes them to something else. So for example:
- before
dst-nat:192.168.1.2:46364 -> 88.88.88.88:80
- after
dst-nat:192.168.1.2:46364 -> 99.99.99.99:8080
And 99.99.99.99:8080 is what further chains in IP packet flow lane see (for example filter table) and this is how the packet looks from now on after leaving device for example.
Now many people around the internet (including on this stackexchange) claimed that redirect is basically the same as dst-nat with dst-addr set to local address of interface. In such light, this rule:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
clearly doesn't make sense. If that would be how it works, then TOR would get all packets with destination 127.0.0.1:9040. For typical applications where app takes packet and responds to it somehow (for example web servers) it totally makes sense because after all, such a server process is the final destination of the packet anyways so it's okay that the destination address is localhost. But TOR router is well... a router so it has to know original destination of packet. Am I missing something? Does DNAT not affect what local applications receive? Or is it specific behavior of REDIRECT directive?
iptables routing tor packet iptables-redirect
edited Dec 28 '17 at 21:44
Jeff Schaller♦
47.9k11 gold badges70 silver badges156 bronze badges
asked Dec 28 '17 at 21:36
LapsioLapsio
6119 silver badges19 bronze badges
add a comment |
Out of curiosity I'm reading some tutorials about transparent TOR proxies as it's quite interesting topic from a networking standpoint. As opposed to VPN gateways which just use tun/tap interfaces and are totally clear to me, TOR proxy uses a single port. All tutorials repeat the magic line:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
where eth0 is the input (LAN) interface and 9040 is some TOR port. The thing is, I completely don't get why such a thing makes sense at all from networking standpoint.
According to my understanding of redirect / dst-nat chains and how it seems to work in physical routers, dst-nat chain takes dst-port and dst-addr BEFORE routing decision is taken and changes them to something else. So for example:
- before
dst-nat:192.168.1.2:46364 -> 88.88.88.88:80
- after
dst-nat:192.168.1.2:46364 -> 99.99.99.99:8080
And 99.99.99.99:8080 is what further chains in IP packet flow lane see (for example filter table) and this is how the packet looks from now on after leaving device for example.
Now many people around the internet (including on this stackexchange) claimed that redirect is basically the same as dst-nat with dst-addr set to local address of interface. In such light, this rule:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
clearly doesn't make sense. If that would be how it works, then TOR would get all packets with destination 127.0.0.1:9040. For typical applications where app takes packet and responds to it somehow (for example web servers) it totally makes sense because after all, such a server process is the final destination of the packet anyways so it's okay that the destination address is localhost. But TOR router is well... a router so it has to know original destination of packet. Am I missing something? Does DNAT not affect what local applications receive? Or is it specific behavior of REDIRECT directive?
iptables routing tor packet iptables-redirect
edited Dec 28 '17 at 21:44
Jeff Schaller♦
47.9k11 gold badges70 silver badges156 bronze badges
asked Dec 28 '17 at 21:36
LapsioLapsio
6119 silver badges19 bronze badges
I installed demo and it does work. What's more - I've set up nodejs server in place of tor and it really does show192.168.1.1:9040as destination in connection details so I have no idea how Tor proxy knows what is actual destination of packet... It's complete... magic
– Lapsio
Dec 29 '17 at 4:09
add a comment |
Out of curiosity I'm reading some tutorials about transparent TOR proxies as it's quite interesting topic from a networking standpoint. As opposed to VPN gateways which just use tun/tap interfaces and are totally clear to me, TOR proxy uses a single port. All tutorials repeat the magic line:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
where eth0 is the input (LAN) interface and 9040 is some TOR port. The thing is, I completely don't get why such a thing makes sense at all from networking standpoint.
According to my understanding of redirect / dst-nat chains and how it seems to work in physical routers, dst-nat chain takes dst-port and dst-addr BEFORE routing decision is taken and changes them to something else. So for example:
- before
dst-nat:192.168.1.2:46364 -> 88.88.88.88:80
- after
dst-nat:192.168.1.2:46364 -> 99.99.99.99:8080
And 99.99.99.99:8080 is what further chains in IP packet flow lane see (for example filter table) and this is how the packet looks from now on after leaving device for example.
Now many people around the internet (including on this stackexchange) claimed that redirect is basically the same as dst-nat with dst-addr set to local address of interface. In such light, this rule:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
clearly doesn't make sense. If that would be how it works, then TOR would get all packets with destination 127.0.0.1:9040. For typical applications where app takes packet and responds to it somehow (for example web servers) it totally makes sense because after all, such a server process is the final destination of the packet anyways so it's okay that the destination address is localhost. But TOR router is well... a router so it has to know original destination of packet. Am I missing something? Does DNAT not affect what local applications receive? Or is it specific behavior of REDIRECT directive?
iptables routing tor packet iptables-redirect
edited Dec 28 '17 at 21:44
Jeff Schaller♦
47.9k11 gold badges70 silver badges156 bronze badges
asked Dec 28 '17 at 21:36
LapsioLapsio
6119 silver badges19 bronze badges
Out of curiosity I'm reading some tutorials about transparent TOR proxies as it's quite interesting topic from a networking standpoint. As opposed to VPN gateways which just use tun/tap interfaces and are totally clear to me, TOR proxy uses a single port. All tutorials repeat the magic line:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
where eth0 is the input (LAN) interface and 9040 is some TOR port. The thing is, I completely don't get why such a thing makes sense at all from networking standpoint.
According to my understanding of redirect / dst-nat chains and how it seems to work in physical routers, dst-nat chain takes dst-port and dst-addr BEFORE routing decision is taken and changes them to something else. So for example:
- before
dst-nat:192.168.1.2:46364 -> 88.88.88.88:80
- after
dst-nat:192.168.1.2:46364 -> 99.99.99.99:8080
And 99.99.99.99:8080 is what further chains in IP packet flow lane see (for example filter table) and this is how the packet looks from now on after leaving device for example.
Now many people around the internet (including on this stackexchange) claimed that redirect is basically the same as dst-nat with dst-addr set to local address of interface. In such light, this rule:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
clearly doesn't make sense. If that would be how it works, then TOR would get all packets with destination 127.0.0.1:9040. For typical applications where app takes packet and responds to it somehow (for example web servers) it totally makes sense because after all, such a server process is the final destination of the packet anyways so it's okay that the destination address is localhost. But TOR router is well... a router so it has to know original destination of packet. Am I missing something? Does DNAT not affect what local applications receive? Or is it specific behavior of REDIRECT directive?
iptables routing tor packet iptables-redirect
iptables routing tor packet iptables-redirect
edited Dec 28 '17 at 21:44
Jeff Schaller♦
47.9k11 gold badges70 silver badges156 bronze badges
asked Dec 28 '17 at 21:36
LapsioLapsio
6119 silver badges19 bronze badges
edited Dec 28 '17 at 21:44
Jeff Schaller♦
47.9k11 gold badges70 silver badges156 bronze badges
asked Dec 28 '17 at 21:36
LapsioLapsio
6119 silver badges19 bronze badges
edited Dec 28 '17 at 21:44
Jeff Schaller♦
47.9k11 gold badges70 silver badges156 bronze badges
edited Dec 28 '17 at 21:44
Jeff Schaller♦
47.9k11 gold badges70 silver badges156 bronze badges
edited Dec 28 '17 at 21:44
Jeff Schaller♦
47.9k11 gold badges70 silver badges156 bronze badges
47.9k11 gold badges70 silver badges156 bronze badges
asked Dec 28 '17 at 21:36
LapsioLapsio
6119 silver badges19 bronze badges
asked Dec 28 '17 at 21:36
LapsioLapsio
6119 silver badges19 bronze badges
asked Dec 28 '17 at 21:36
LapsioLapsio
6119 silver badges19 bronze badges
6119 silver badges19 bronze badges
I installed demo and it does work. What's more - I've set up nodejs server in place of tor and it really does show192.168.1.1:9040as destination in connection details so I have no idea how Tor proxy knows what is actual destination of packet... It's complete... magic
– Lapsio
Dec 29 '17 at 4:09
add a comment |
I installed demo and it does work. What's more - I've set up nodejs server in place of tor and it really does show192.168.1.1:9040as destination in connection details so I have no idea how Tor proxy knows what is actual destination of packet... It's complete... magic
– Lapsio
Dec 29 '17 at 4:09
I installed demo and it does work. What's more - I've set up nodejs server in place of tor and it really does show
192.168.1.1:9040 as destination in connection details so I have no idea how Tor proxy knows what is actual destination of packet... It's complete... magic– Lapsio
Dec 29 '17 at 4:09
I installed demo and it does work. What's more - I've set up nodejs server in place of tor and it really does show
192.168.1.1:9040 as destination in connection details so I have no idea how Tor proxy knows what is actual destination of packet... It's complete... magic– Lapsio
Dec 29 '17 at 4:09
add a comment |
2 Answers
2
active
oldest
votes
Take a look at this answer: How does a transparent SOCKS proxy know which destination IP to use?
Quotation:
iptables overrites the original destination address but it remembers the old one. The application code can then fetch it by asking for a special socket option, SO_ORIGINAL_DST.
answered Mar 14 '18 at 19:18
user280720user280720
462 bronze badges
add a comment |
Actually you're right about TOR, every tcp packet received is redirect to localhost:9040.
The target REDIRECT is special type of the DNAT target, which would change the ip address to the local interface and map to the port whatever you specified.
Suppose there is a router whose lan interface is eth0(with network 192.168.1.0/24 and ip address: 192.168.1.1) and the iptables rule for this router is:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
then all the tcp packets from the clients inside the lan would redirect to 192.168.1.1:9040.
Suppose there is tcp connection from client(with ip address 192.168.1.2) inside the lan to google.com(suppose ip: 8.8.1.1) then,
raw request: 192.168.1.2:12345 -> 8.8.1.1:80
after router's prerouting chain: 192.168.1.2:12345->192.168.1.1:9040
answered 1 hour ago
JichaoJichao
4771 gold badge6 silver badges7 bronze badges
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f413545%2fwhat-does-iptables-j-redirect-actually-do-to-packet-headers%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Take a look at this answer: How does a transparent SOCKS proxy know which destination IP to use?
Quotation:
iptables overrites the original destination address but it remembers the old one. The application code can then fetch it by asking for a special socket option, SO_ORIGINAL_DST.
answered Mar 14 '18 at 19:18
user280720user280720
462 bronze badges
add a comment |
Take a look at this answer: How does a transparent SOCKS proxy know which destination IP to use?
Quotation:
iptables overrites the original destination address but it remembers the old one. The application code can then fetch it by asking for a special socket option, SO_ORIGINAL_DST.
answered Mar 14 '18 at 19:18
user280720user280720
462 bronze badges
add a comment |
Take a look at this answer: How does a transparent SOCKS proxy know which destination IP to use?
Quotation:
iptables overrites the original destination address but it remembers the old one. The application code can then fetch it by asking for a special socket option, SO_ORIGINAL_DST.
answered Mar 14 '18 at 19:18
user280720user280720
462 bronze badges
Take a look at this answer: How does a transparent SOCKS proxy know which destination IP to use?
Quotation:
iptables overrites the original destination address but it remembers the old one. The application code can then fetch it by asking for a special socket option, SO_ORIGINAL_DST.
answered Mar 14 '18 at 19:18
user280720user280720
462 bronze badges
answered Mar 14 '18 at 19:18
user280720user280720
462 bronze badges
answered Mar 14 '18 at 19:18
user280720user280720
462 bronze badges
answered Mar 14 '18 at 19:18
user280720user280720
462 bronze badges
462 bronze badges
add a comment |
add a comment |
Actually you're right about TOR, every tcp packet received is redirect to localhost:9040.
The target REDIRECT is special type of the DNAT target, which would change the ip address to the local interface and map to the port whatever you specified.
Suppose there is a router whose lan interface is eth0(with network 192.168.1.0/24 and ip address: 192.168.1.1) and the iptables rule for this router is:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
then all the tcp packets from the clients inside the lan would redirect to 192.168.1.1:9040.
Suppose there is tcp connection from client(with ip address 192.168.1.2) inside the lan to google.com(suppose ip: 8.8.1.1) then,
raw request: 192.168.1.2:12345 -> 8.8.1.1:80
after router's prerouting chain: 192.168.1.2:12345->192.168.1.1:9040
answered 1 hour ago
JichaoJichao
4771 gold badge6 silver badges7 bronze badges
add a comment |
Actually you're right about TOR, every tcp packet received is redirect to localhost:9040.
The target REDIRECT is special type of the DNAT target, which would change the ip address to the local interface and map to the port whatever you specified.
Suppose there is a router whose lan interface is eth0(with network 192.168.1.0/24 and ip address: 192.168.1.1) and the iptables rule for this router is:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
then all the tcp packets from the clients inside the lan would redirect to 192.168.1.1:9040.
Suppose there is tcp connection from client(with ip address 192.168.1.2) inside the lan to google.com(suppose ip: 8.8.1.1) then,
raw request: 192.168.1.2:12345 -> 8.8.1.1:80
after router's prerouting chain: 192.168.1.2:12345->192.168.1.1:9040
answered 1 hour ago
JichaoJichao
4771 gold badge6 silver badges7 bronze badges
add a comment |
Actually you're right about TOR, every tcp packet received is redirect to localhost:9040.
The target REDIRECT is special type of the DNAT target, which would change the ip address to the local interface and map to the port whatever you specified.
Suppose there is a router whose lan interface is eth0(with network 192.168.1.0/24 and ip address: 192.168.1.1) and the iptables rule for this router is:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
then all the tcp packets from the clients inside the lan would redirect to 192.168.1.1:9040.
Suppose there is tcp connection from client(with ip address 192.168.1.2) inside the lan to google.com(suppose ip: 8.8.1.1) then,
raw request: 192.168.1.2:12345 -> 8.8.1.1:80
after router's prerouting chain: 192.168.1.2:12345->192.168.1.1:9040
answered 1 hour ago
JichaoJichao
4771 gold badge6 silver badges7 bronze badges
Actually you're right about TOR, every tcp packet received is redirect to localhost:9040.
The target REDIRECT is special type of the DNAT target, which would change the ip address to the local interface and map to the port whatever you specified.
Suppose there is a router whose lan interface is eth0(with network 192.168.1.0/24 and ip address: 192.168.1.1) and the iptables rule for this router is:
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
then all the tcp packets from the clients inside the lan would redirect to 192.168.1.1:9040.
Suppose there is tcp connection from client(with ip address 192.168.1.2) inside the lan to google.com(suppose ip: 8.8.1.1) then,
raw request: 192.168.1.2:12345 -> 8.8.1.1:80
after router's prerouting chain: 192.168.1.2:12345->192.168.1.1:9040
answered 1 hour ago
JichaoJichao
4771 gold badge6 silver badges7 bronze badges
answered 1 hour ago
JichaoJichao
4771 gold badge6 silver badges7 bronze badges
answered 1 hour ago
JichaoJichao
4771 gold badge6 silver badges7 bronze badges
answered 1 hour ago
JichaoJichao
4771 gold badge6 silver badges7 bronze badges
4771 gold badge6 silver badges7 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f413545%2fwhat-does-iptables-j-redirect-actually-do-to-packet-headers%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I installed demo and it does work. What's more - I've set up nodejs server in place of tor and it really does show
192.168.1.1:9040as destination in connection details so I have no idea how Tor proxy knows what is actual destination of packet... It's complete... magic– Lapsio
Dec 29 '17 at 4:09