Difference beetween DNAT and REDIRECT in IPTABLES

Solution 1:

REDIRECT alters the destination IP address to send to the machine itself. In other words, locally generated packets are mapped to the 127.0.0.1 address. It's for redirecting local packets. If you only want to redirect the traffic between services on the local machine, it will be a good choice.

DNAT is actual Network Address Translation. If you want packets destinated outside of the local system to have the destination altered, it's the better choice of the two, as REDIRECT will not work.

Solution 2:

REDIRECT does alter the destination IP address to send to the machine itself as answered by Warner@. But I'd say that answer is not totally correct, or a bit misleading.

REDIRECT is not just for redirecting local packets. It is really DNAT in which the destination IP address to use is implicit, 127.0.0.1 if it is a local packet or the machine interface's IP address otherwise, 192.168.5.1 in the case of the OP.

So in this question, no matter what the final destination, the packets should first reach the proxy, so REDIRECT is perfectly suited.

Since with REDIRECT you don't need to specify the IP address, it will just take the right one, it has some advantages over DNAT:

• If the machine's IP address changes for any reason you don't need to modify your rules, and in particular DNAT will not work for DHCP-controlled interfaces.

• You can write and maintain the same rules for several systems (several proxy instances for example) without keeping different slightly versions because of the specific IP addresses.