Setup guide
Network Address Translation is subdivided into two separate facilities:
• Source NAT
This type of NAT allows 'hiding' of private networks beyond the router. It alters forwarded IP
packets' source addresses.
• Destination NAT
This one is used for accessing public services on the local servers from outside the intranet. It
can also help to accomplish some additional tasks like transparent proxying. Destination NAT
alters forwarded IP packets' destination addresses.
Redirect and Masquerade
REDIRECT is similar to regular destination NAT in the same way as MASQUERADING is similar
to source NAT - masquerading is source NAT, except you do not have to specify to-src-address -
outgoing interface address is used automatically. The same is for REDIRECT - it is destination
NAT where to-dst-address is not used - incoming interface address is used instead. So there is no
use of specifying to-src-address for src-nat rules with action=masquerade, as well as no use of
specifying to-dst-address for dst-nat rules with action=redirect. Note that to-dst-port is
meaningful for REDIRECT rules - this is the port on which the service on router that will handle
these requests is sitting (e.g. web proxy).
When packet is dst-natted (no matter - action=nat or action=redirect), dst address is changed.
Information about translation of addresses (including original dst address) is kept in router's internal
tables. Transparent web proxy working on router (when web requests get redirected to proxy port
on router) can access this information from internal tables and get address of web server from them.
If you are dst-natting to some different proxy server, it has no way to find web server's address from
IP header (because dst address of IP packet that previously was address of web server has changed
to address of proxy server). Starting from HTTP/1.1 there is special header in HTTP request which
tells web server address, so proxy server can use it, instead of dst address of IP packet. If there is no
such header (older HTTP version on client), proxy server can not determine web server address and
therefore can not work.
It means, that it is impossible to correctly transparently redirect HTTP traffic from router to some
other transparent-proxy box. Only correct way is to add transparent proxy on the router itself, and
configure it so that your "real" proxy is parent-proxy. In this situation your "real" proxy does not
have to be transparent any more, as proxy on router will be transparent and will forward proxy-style
requests (according to standard; these requests include all necessary information about web server)
to "real" proxy.
Type of Service
Internet paths vary in quality of service they provide. They can differ in cost, reliability, delay and
throughput. This situation imposes some tradeoffs, exempli gratia the path with the lowest delay
may be among the slowest. Therefore, the "optimal" path for a packet to follow through the Internet
may depend on the needs of the application and its user.
Because the network itself has no knowledge on how to optimize path choosing for a particular
application or user, the IP protocol provides a facility for upper layer protocols to convey hints to
the Internet Layer about how the tradeoffs should be made for the particular packet. This facility is
called the "Type of Service" facility.
The fundamental rule is that if a host makes appropriate use of the TOS facility, its network service
should be at least as good as it would have been if the host had not used this facility.