OK I could confirm that the SNAT patch provided seems to work for me. I have more questions on tproxy 4.1.0 and FWMARK :-
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 -on-port 3128 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
If I have to do split access on outgoing traffic into multiple interfaces, I would already have use FWMARK in one way or other. For example, for split outgoing access, I would have already mark traffic going out to eth0 with FWMARK 5, and traffic going out to eth1 with FWMARK 7. And I would already have these rules :- ip rule add fwmark 5 lookup 120 ip rule add fwmark 7 lookup 130 ( And table 120 will default route to gateway belonging to interface 1 and table 130 will default route to gateway belonging to interface 2 ). So how could I incorporate the tproxy mark into my existing use of FWMARK ? Regards.
Hello, Ming-Ching Tiew wrote:
OK I could confirm that the SNAT patch provided seems to work for me.
I have more questions on tproxy 4.1.0 and FWMARK :-
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 -on-port 3128 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
If I have to do split access on outgoing traffic into multiple interfaces, I would already have use FWMARK in one way or other.
For example, for split outgoing access, I would have already mark traffic going out to eth0 with FWMARK 5, and traffic going out to eth1 with FWMARK 7. And I would already have these rules :-
ip rule add fwmark 5 lookup 120 ip rule add fwmark 7 lookup 130
( And table 120 will default route to gateway belonging to interface 1 and table 130 will default route to gateway belonging to interface 2 ).
So how could I incorporate the tproxy mark into my existing use of FWMARK ?
The mark is a uint32 value also the last bit may belong to tproxy, everything else could be used for routing and so on. Also in your case the routing requires even marks: ip rule add fwmark 4/0xfffffffe lookup 120 ip rule add fwmark 6/0xfffffffe lookup 130 The following clears the last bit of the fwmark (because the mask is "0x1") and sets the last bit to 1 (the value is "0x1") iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 -on-port 3128 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT Sets the last bit only iptables -t mangle -A DIVERT -j MARK --set-mark 1/1 iptables -t mangle -A DIVERT -j ACCEPT Tproxy related rules ip rule add fwmark 1/1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 TProxy uses advanced routing for the incoming packets, your rules use it for the outgoing packets, also they are not the same. HTH -- Panther
participants (2)
-
Laszlo Attila Toth
-
Ming-Ching Tiew