Re: [squid-users] Intercepting with iptables: DNAT vs REDIRECT

From: Amos Jeffries <>
Date: Wed, 23 Oct 2013 19:10:14 +1300

On 22/10/2013 2:56 p.m., Dan Charlesworth wrote:
> Hi folks
> I've been testing these interception methods (as outlined in the Config Examples) and don't really understand the difference between the two, other than DNAT requiring sysctl changes.
> What's the actual functional difference?

Iptable DNAT target changes the destination IP:port of packets to the
configured values. That is all.
* It is generic destination-NAT and the changed packets may leave the
machine and travel out over the network with the new values. (This is a
useless property to Squid).
* It is a static IP:port NAT mapping, which may benefit if DNAT is an
option and you want a few more packets per second through the box.

Itables REDIRECT target automatically selects the primary global IP
address of the box _at the time when the connection was opened_ and
changes the destination IP:port of packets to that IP and the configured
* It is restricted to sending traffic to the local box (Squid requires
local-machine NAT anyway so no gain/loss there).
* It is a dynamic IP:port mapping (so the machine it is used on can be
auto-configured with a new IP as often as you like without reconfiguring
NAT or the proxy.)
* It is slightly slower than DNAT because of the machine IP lookup

Also, count of connections intercepted is limited to 64K on both due to
IP address only having 64K ports (even if you have traffic arriving on a
secondary IP and NAT'ed to primary IP:port). But you can avoid that with
DNAT using a little trickery with multiple rules and IPs. REDIRECT is
stuck with the machine primary IP whatever you do.

> What's a real-world type of scenario where I might pick one over the other?

If you have statically assigned IP on the Squid box then DNAT is the
better choice, but either will do and REDIRET is somewhat simpler to
"set and forget".

If you Squid box is dynamically assigned IP. Then REDIRECT is the only
option for reliable NAT interception. DNAT in this case would simply
stop working on every IP update.

Received on Wed Oct 23 2013 - 06:10:25 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 23 2013 - 12:00:06 MDT