If I have the following rule in the nat-table in the prerouting chain:
0 0 REDIRECT tcp -- eth5 any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN redir ports 20000
My intention is to DNAT to the incoming interface (hence the redirect target) and I want to redirect only packets where the SYN-Flag is set and all others flags are unset. I am wondering if this rule is correct. What happens if there is a packet, with only the SYN and the URG Flag set? Or with only the SYN and the PUSH flag set? As far as I know that wouldn't be a match to the above rule. In this case the packet just wouldn't get redirected.
As far as I understand I should change the --tcp-flags rule to:
--tcp-flags ALL SYN
In this case even if the PUSH and the URG flags are set it would (Edit: NOT!!) get redirected and that's what I want. So that's why I think that that would be correct.
Is my reasoning right?
Edit: As I am thinking about this I'm getting more and more confused. Reflecting on what I have just written, it just doesn't matter whether to include the PUSH or the URG flag because it seems that in both cases it just wouldn't get redirected. So logically it seems that
FIN,SYN,RST,ACK/SYN is equal to --tcp-flags ALL SYN
