Thanks. Explains it quite well. So there is yet another state table involved here.
Now I am a little confused. What exacly is it that makes this new state table better suited for the job than conntrack? Regards Henrik Balazs Scheidler wrote: > Yes, sorry. There's a translation table in TPROXY independent from the > tproxy iptables table. > > The rules are in the iptables table called 'tproxy', and contains one > transparent proxy rule for each service needed. > > As a connection is established, a new entry is added to the translation > table with: remote addr/remote port, original dest/original port, local > dest/local port. > > Then both the prerouting and the local output hooks perform translation of > the packet flow according to the translation table. > > In a sence this table is similar to the conntrack tables, with the > exception that the primary focus is to assign packet endpoints with local > sockets, identified by their own IP/port pair. > > Thus the connection between a redirected session and a local socket is not > the socket layer, but this translation table, therefore no packet with > foreign IP address enter the networking core.
