I want to understand the tproxy rules that have been kindly written for us in http://www.balabit.com/downloads/files/tproxy/README.txt. I understand every aspect of those rules, iptables and iproute2, except this one small highlighted bit in the last rule. ip route add local 0.0.0.0/0 *dev lo* table 100 # ip route show table 100 local default dev lo scope host So packets with fwmark 1 get selected for this routing table, which assumes that all destinations are assigned to this host and hence delivers the packets locally. But the output device is set to 'lo', which is the local loopback device. However even if the proxy is not listening on the IP of lo (say it only has the socket for eth0 and the packet came in on eth0), it still receives the packet. So is the 'lo' here just a way to indicate local delivery to the associated physical interface and does not really represent the actual output interface? Can someone please shed some light on this that is more than a simple yes/no answer? Thank you, - Ashwani