[tproxy] How does 'dev lo' in tproxy routing rule really work?

Ashwani Wason ashwas at gmail.com
Thu Dec 3 03:51:24 CET 2009

I want to understand the tproxy rules that have been kindly written
for us in http://www.balabit.com/downloads/files/tproxy/README.txt. I
understand every aspect of those rules, iptables and iproute2, except
this one small highlighted bit in the last rule.

       ip route add local *dev lo* table 100

# ip route show table 100
local default dev lo  scope host

So packets with fwmark 1 get selected for this routing table, which
assumes that all destinations are assigned to this host and hence
delivers the packets locally. But the output device is set to 'lo',
which is the local loopback device. However even if the proxy is not
listening on the IP of lo (say it only has the socket for eth0 and the
packet came in on eth0), it still receives the packet. So is the 'lo'
here just a way to indicate local delivery to the associated physical
interface and does not really represent the actual output interface?
Can someone please shed some light on this that is more than a simple
yes/no answer?

Thank you,
- Ashwani

More information about the tproxy mailing list