I want to run a tcp transparent proxy ( with TPROXY ) processing only traffic outgoing a specific interface. That's what my setup looks like:
lan1 ############
local net 1 <-------# ROUTER # wan
# + #-------------> internet
local net 2 <-------# TPROXY #
lan2 ############
Local traffic to lan1 and lan2 shall not be proxied, traffic to wan shall be proxied.
Other routers may be connected to the local networks, so we can not match for any destination netmasks.
The TPROXY target requires being entered in PREROUTING chain. Naturally the outgoing interface is only known after routing (POSTROUTING),
but then it's to late for TPROXY.
I was already thinking of possible solutions but all look more or less quirky to me (just pseudo calls, please do not insist on correctness ;-)
Solution 1 (run the stack twice):
ip link add dev loopback name tprox
iptables -A POSTROUTING -o wan -j ROUTE -oif tprox
iptables -A PREROUTING -i tprox -j TPROXY
Solution 2 (do it on your own):
iptables -A PREROUTING -j NFQUEUE
Use a small homebrew program using destination address and performing route lookup. If outgoing interface is wan mark packet and NF_REPEAT.
iptables -A PREROUTING --match-mark X -j PROXY
Solution 3 (just another idea):
TPROXY requires a ip route add local 0.0.0.0/0 (deliver everything locally).
If you'd jump to a the regular routing table traffic will not be proxied.
Unfortunately policy routing (ip rule *) can not 'match' for an outgoing interface (because the route lookup has not happened yet).
It would be great if you could give me any hints.
Greetings
Sebastian Poehn
---
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
