1

I installed a TPROXY server in my router that forwards the traffic to a SOCKS5 server.

The router has the address 192.168.1.1 and my PC has the address 192.168.1.33. Also, I have a local bridge "virbr0" in PC side that forwards traffic to a virtual machine, having it the gateway address as 192.168.11.1 and peer address as 192.168.11.2.

In the PC side:

ip rule add fwmark 1088 table 100
ip route add local default dev virbr0 table 100
iptables -t mangle -A PREROUTING -i virbr0 -p tcp -j TPROXY -s 192.168.11.2 --on-ip 192.168.0.1 --on-port 1088 --tproxy-mark 1088

When I try to curl any IP in the virtual machine side (192.168.11.2) I get timeouts, seeing the Wireshark logs, any packet is forwarded from my PC to the router.

And when I change the address of "--on-ip" to 127.0.0.1 and run the TPROXY server locally listening on 127.0.0.1:1088 everything works ok.

How can I make the TPROXY option in iptables "see" the external address of the router (192.168.1.1) and connect?

PS.: I don't know if TPROXY was designed to work with non-local addresses when sending the packets, but I searched a lot in Google and I could see examples of TPROXY using non-local addresses, but when I try to reproduce the examples, nothing works.

phantomcraft
  • 133
  • 5
  • Use the rerefence example: https://www.kernel.org/doc/Documentation/networking/tproxy.rst . Currently you're not following it and shouldn't trust random Internet blogs. This reference uses the socket match, you don't, uses `dev lo` you don't. – A.B Jul 24 '22 at 15:12
  • And the probable cause of your setup not working, is that you never set the lo interface up. A new network namespace gets a lo interface, DOWN initially. Then you probably tried to change the interface name from the reference setup because of this. – A.B Jul 24 '22 at 15:13
  • I added this comment to this question, but since there are 3 or 4 questions almost the same, maybe that should have been on an other question... – A.B Jul 24 '22 at 15:19

0 Answers0