I want to setup a transparent proxy across network namespaces. I have two network namespaces, "nsx" and "nsy", each one has a veth pair, the pair of "nsx" is pointed to the host, the pair of "nsy" is pointed to "nsx", in the following scheme (commands to setup all this):
ip netns add nsx
ip netns add nsy
ip link add vethx type veth peer name peerx netns nsx
ip link set vethx up
ip address add 10.0.0.1/24 dev vethx
ip netns exec nsx ip link set peerx up
ip netns exec nsx ip address add 10.0.0.2/24 dev peerx
ip netns exec nsx ip link add vethy type veth peer name peery netns nsy
ip netns exec nsx ip link set vethy up
ip netns exec nsx ip address add 10.0.1.1/24 dev vethy
ip netns exec nsx sysctl -w net.ipv4.conf.peerx.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.conf.vethy.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.ip_forward=1
ip netns exec nsy ip link set peery up
ip netns exec nsy ip address add 10.0.1.2/24 dev peery
ip netns exec nsy ip route add default via 10.0.1.1 dev peery
ip netns exec nsx ip rule add fwmark 1088 table 100
ip netns exec nsx ip route add local default dev vethy table 100
ip netns exec nsx iptables -t mangle -A PREROUTING -i vethy -p tcp -j TPROXY -s 10.0.1.2 --on-ip 10.0.0.1 --on-port 19040 --tproxy-mark 1088
Transparent is configured in internal virtual interface "vethy" pointing to the transparent proxy running at 10.0.0.1:19040.
When I try to connect to any address in the network namespace "nsy" I get timeouts and the connections are not proxied/forwarded.
The transparent proxy in the iptables rules doesn't "see" the address:port 10.0.0.1:19040
What can be done to make this scheme work?
