Return to Question

I used an iptables ruleset based on the sample ruleset from https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy, Section Linux, Local Redirection Through Tor, to set up Tor as a transparent Proxy.

I thought I had understood that ruleset, but there is one point I simply don't get: That TCP segments are only redirected to the port Tor listens on when the SYN flag is set.

For example I want to visit http://www.example.com. My browser does a DNS request, gets the corresponding IP address and sends a TCP segment to that address, the SYN flag is set.

According to the ruleset, the segment is redirected to the Tor port, so Tor functions as a proxy, routes the IP packet to http://www.example.com and delivers the answer from the website server back to my browser. My browser gets a packet back where the source IP is that from the server and the ACK flag is set in the TCP payload, right?

So my browser sends the next TCP segment where the SYN flag is not set anymore to www.example.com's IP address.

But, there is no corresponding rule in the NAT table because the SYN flag isn't set. So it shouldn't get redirected or get accepted in the output table afterwards.

Nonetheless, everything is working fine. What point am I missing?

I used an iptables ruleset based on the sample ruleset from https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy, Section Linux, Local Redirection Through Tor, to set up Tor as a transparent Proxy.

I thought I had understood that ruleset, but there is one point I simply don't get: That TCP segments are only redirected to the port Tor listens on when the SYN flag is set.

For example I want to visit http://www.example.com. My browser does a DNS request, gets the corresponding IP address and sends a TCP segment to that address, the SYN flag is set.

According to the ruleset, the segment is redirected to the Tor port, so Tor functions as a proxy, routes the IP packet to http://www.example.com and delivers the answer from the website server back to my browser. My browser gets a packet back where the source IP is that from the server and the ACK flag is set in the TCP payload, right?

So my browser sends the next TCP segment where the SYN flag is not set anymore to www.example.com's IP address.

But, there is no corresponding rule in the NAT table because the SYN flag isn't set. So it shouldn't get redirected or get accepted in the output table afterwards.

Nonetheless, everything is working fine. What point am I missing?

I used an iptables ruleset based on the sample ruleset from https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy, Section Linux, Local Redirection Through Tor, to set up Tor as a transparent Proxy.

I thought I had understood that ruleset, but theres one point I simply dont get: That TCP segments are only redirected to the port Tor listens on when the SYN flag is set.

For example I want to visit www.example.com. My browser does a DNS request, gets the corresponding IP address and sends a TCP segment to that address, the SYN flag is set.

According to the ruleset, the segment is redirected to the Tor port, so Tor functions as a proxy, routes the IP packet to www.example.com and delivers the answer from the website server back to my browser. My browser gets a packet back where the source IP is that from the server and the ACK flag is set in the TCP payload, right?

So my browser sends the next TCP segment where the SYN flag is not set anymore to www.example.com's IP address.

But, there is no corresponding rule in the NAT table because the SYN flag isn't set. So it shouldnt get redirected or get accepted in the output table afterwards.

Nonetheless, everything is working fine. What point am I missing?

I used an iptables ruleset based on the sample ruleset from https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy, Section Linux, Local Redirection Through Tor, to set up Tor as a transparent Proxy.

I thought I had understood that ruleset, but there is one point I simply don't get: That TCP segments are only redirected to the port Tor listens on when the SYN flag is set.

For example I want to visit http://www.example.com. My browser does a DNS request, gets the corresponding IP address and sends a TCP segment to that address, the SYN flag is set.

According to the ruleset, the segment is redirected to the Tor port, so Tor functions as a proxy, routes the IP packet to http://www.example.com and delivers the answer from the website server back to my browser. My browser gets a packet back where the source IP is that from the server and the ACK flag is set in the TCP payload, right?

So my browser sends the next TCP segment where the SYN flag is not set anymore to www.example.com's IP address.

But, there is no corresponding rule in the NAT table because the SYN flag isn't set. So it shouldn't get redirected or get accepted in the output table afterwards.

Nonetheless, everything is working fine. What point am I missing?

I used an iptables ruleset based on the sample ruleset from https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy  , Section Linux, Local Redirection Through Tor, to set up Tor as a transparent Proxy.

I thought I had understood that ruleset, but theres one point I simply dont get  : That TCP segments are only redirected to the Port Tor listens on when the SYN flag is set

So, for example I want to visit www.example.com. My browser does a DNS request, gets the corresponding ip address and sends a TCP segment to that address, the SYN flag is set.

According to the ruleset, the segment is redirected to the Tor Port, so Tor functions as a proxy, routes the ip packet to www.example.com and delivers the answer from the website server back to my browser. My browser gets a packet back where the source ip is that from the server and the ACK flag is set in the tcp payload, right?

So my browser sends the next tcp segment where the SYN flag is not set anymore to the www.example.com-ip.

But, theres no corresponding rule in the nat-table cause the SYN flag isnt set. So it shouldnt get redirected or get accepted in the output table afterwards.

Nonetheless, everything is working fine. What point am I missing???

Thanks in advance

I used an iptables ruleset based on the sample ruleset from https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy, Section Linux, Local Redirection Through Tor, to set up Tor as a transparent Proxy.

I thought I had understood that ruleset, but theres one point I simply dont get: That TCP segments are only redirected to the port Tor listens on when the SYN flag is set.

For example I want to visit www.example.com. My browser does a DNS request, gets the corresponding IP address and sends a TCP segment to that address, the SYN flag is set.

According to the ruleset, the segment is redirected to the Tor port, so Tor functions as a proxy, routes the IP packet to www.example.com and delivers the answer from the website server back to my browser. My browser gets a packet back where the source IP is that from the server and the ACK flag is set in the TCP payload, right?

So my browser sends the next TCP segment where the SYN flag is not set anymore to www.example.com's IP address.

But, there is no corresponding rule in the NAT table because the SYN flag isn't set. So it shouldnt get redirected or get accepted in the output table afterwards.

Nonetheless, everything is working fine. What point am I missing?