DNAT vs REDIRECT in iptables: Key Differences for Transparent Proxy Implementation


1 views

When implementing transparent proxy solutions with iptables, both DNAT and REDIRECT targets serve similar purposes but with distinct technical implementations:

# REDIRECT approach
*nat
-A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT

# DNAT approach 
*nat
-A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.5.1:8080
COMMIT

The REDIRECT target is actually a specialized form of DNAT that:

  • Automatically redirects to the incoming interface's IP address
  • Modifies the destination port while preserving the original IP
  • Works only within the same host (local redirection)

DNAT offers more flexibility:

  • Can redirect to any IP address (local or remote)
  • Maintains complete control over destination IP:port mapping
  • Allows for more complex network topologies

For your specific transparent proxy setup, both methods work because:

# Both preserve source IP in proxy logs
# Both handle HTTP traffic redirection to port 8080
# Both integrate with MASQUERADE for outbound traffic

Use REDIRECT when:

  • Redirecting to services on the same host
  • Port number is the only changing parameter
  • You want simpler, more readable rules

Use DNAT when:

  • Redirecting to different hosts in your network
  • Need to modify both IP and port
  • Implementing complex routing scenarios

Here's how you might expand the DNAT approach for multiple proxies:

*nat
# Load balancing between two proxy servers
-A PREROUTING -i eth1 -p tcp --dport 80 -m statistic --mode random --probability 0.5 -j DNAT --to-destination 192.168.5.2:8080
-A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.5.1:8080
COMMIT

When implementing transparent proxy solutions with iptables, network administrators often face the choice between DNAT and REDIRECT targets. Both mechanisms achieve port redirection but with subtle technical differences that impact packet handling.

The REDIRECT target is actually a specialized form of DNAT that automatically redirects packets to the local machine:

# REDIRECT (automatically uses incoming interface's IP)
-A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

# Equivalent manual DNAT
-A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.5.1:8080

The REDIRECT target is particularly useful when:

  • You want to redirect to services on the same machine
  • The destination IP might change (DHCP environments)
  • You need simpler rule maintenance

DNAT provides more flexibility when:

  • Redirecting to different machines in the network
  • You need explicit control over destination IP
  • Implementing complex network topologies

Both methods preserve the original client IP in proxy logs, but DNAT requires additional routing considerations:

# For DNAT to work properly, you might need:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Here's a more complete example showing both approaches with connection tracking:

*nat
# REDIRECT approach
-A PREROUTING -i eth1 -p tcp --dport 80 -m conntrack --ctstate NEW -j REDIRECT --to-port 8080

# DNAT alternative
-A PREROUTING -i eth1 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to-destination 192.168.5.1:8080

# Common MASQUERADE rule for both
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

When debugging redirection issues:

# Check NAT rules
iptables -t nat -L -v -n

# Monitor connections
conntrack -L

# Test connectivity
curl --interface eth1 http://example.com