[tproxy] How does 'dev lo' in tproxy routing rule really work?

Balazs Scheidler bazsi at balabit.hu
Thu Apr 15 10:06:33 CEST 2010

On Wed, 2009-12-02 at 18:51 -0800, Ashwani Wason wrote:
> I want to understand the tproxy rules that have been kindly written
> for us in http://www.balabit.com/downloads/files/tproxy/README.txt. I
> understand every aspect of those rules, iptables and iproute2, except
> this one small highlighted bit in the last rule.
>        ip route add local *dev lo* table 100
> # ip route show table 100
> local default dev lo  scope host
> So packets with fwmark 1 get selected for this routing table, which
> assumes that all destinations are assigned to this host and hence
> delivers the packets locally. But the output device is set to 'lo',
> which is the local loopback device. However even if the proxy is not
> listening on the IP of lo (say it only has the socket for eth0 and the
> packet came in on eth0), it still receives the packet. So is the 'lo'
> here just a way to indicate local delivery to the associated physical
> interface and does not really represent the actual output interface?
> Can someone please shed some light on this that is more than a simple
> yes/no answer?

All local traffic is in fact using the "lo" device, so if you are
pinging one of your local IP addresses, you can confirm via tcpdump that
they indeed are on the "lo" device and not on the ethernet where the IP
is assigned.

Routing rules must have an interface assigned to them and it doesn't
really matter which one it is, the trick is in the "local" specifier in
the rule, that directs the kernel to route packets to the local IP


More information about the tproxy mailing list