0

I want to redirect all DNS traffic to proxy. For that i setup following rules in nftables:

    chain prerouting {
        type filter hook prerouting priority mangle; policy accept;
        udp dport 53 tproxy to :1 accept
        tcp dport 53 tproxy to :1 accept
    }

Proxy is binding to port 1 and sets few socket options:

    err4 = unix.SetsockoptInt(fd, unix.SOL_IP, unix.IP_TRANSPARENT, 1)
    if err4 == nil {
        err4 = unix.SetsockoptInt(fd, unix.SOL_IP, unix.IP_RECVORIGDSTADDR, 1)
    }

But when i run proxy, DNS traffic doesn't reach it for some reason. Interesting thing, when i shutdown proxy, DNS traffic goes directly to it's original destination address.

I tried to trace how nftables rules are applied, nft monitor trace shows:

trace id a7cc39a5 inet metal prerouting packet: iif "vlan20" ether saddr 52:54:00:c8:4f:dd ether daddr 52:19:cd:e8:a1:89 vlan pcp 0 vlan cfi 0 vlan id 1001 ip saddr 10.0.24.2 ip daddr 1.1.1.1 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 27564 ip protocol udp ip length 56 udp sport 33222 udp dport 53 udp length 36 @th,64,96 17776049973980271729501536256 
trace id a7cc39a5 inet metal prerouting rule udp dport 53 tproxy to :1 meta nftrace set 1 accept (verdict accept)
trace id a7cc39a5 inet nat prerouting verdict continue 
trace id a7cc39a5 inet nat prerouting policy accept

So it looks like, all rules are successfully applied.

Grigoriy Mikhalkin
  • 101
  • 3
  • 1
    Official doc includes a preliminary part to do first: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/Documentation/networking/tproxy.rst?h=v5.10#n24 – A.B Jun 29 '21 at 22:53
  • @A.B Thanks for comment! I actually solved that problem long ago, problem was with my routing setting. Traffic was actually coming to one VRF and should've been going to another one, where proxy is working. – Grigoriy Mikhalkin Jun 30 '21 at 09:35

0 Answers0