On 2 October 2013 17:36, Marcus Furlong <[email protected]> wrote: > Slowly coming to the same same conclusion myself, but I was hoping > this was out of date: > > http://www.faqs.org/docs/iptables/traversingoftables.html > > Table 3-2. Source local host (our own machine), at Step 2 the routing > decision is taken before the OUTPUT chain of the mangle table. Grr. > > Does anyone have any other ideas how I might achieve this? >
Apologies for the late response. As per the diagram: http://inai.de/images/nf-packet-flow.png tproxy is the solution that allow things like transparent proxies to work with UDP as well as TCP and for IPv6 as well as IPv4, without relying on NAT. My understanding of tproxy is that it ends up with (note doing this with ipv6 appears to be broken in the standard wheezy kernel however that is another issue, if you have problems with the wheezy kernel you might want to try a latter kernel from back ports just in case): OUTPUT(eth0) -> routing -> PREROUTING (lo) As per the diagram, after mangle:output rule, it does a "reroute check", which is capable of "jumping" back to the prerouting stage. I think. The best explanation I have been able to come up with anyway :-) When I asked about this before I got the response: “Because it's two different interfaces (eth0 vs lo). The diagram is for an single interface.“ Trying to understand how this works completely mangles my brain. Or nats my brain. Or something. However, will try: In the mangle:OUTPUT I have: MARK tcp -- 0.0.0.0/0 192.168.0.0/16 tcp MARK set 0x1 MARK udp -- 0.0.0.0/0 192.168.0.0/16 udp MARK set 0x1 This assigns all required packets the mark. Then, as above, it must look at my routing rules: aquitard# ip rule 0: from all lookup local 32764: from all fwmark 0x1 lookup 100 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default aquitard# ip route show table 100 local default dev lo scope host Which reroutes it to lo. Then in mangle:PREROUTING I do the tproxy stuff. Which is probably not really relevant to your task. All seems a bit like black magic to me. However it does actually work. So in conclusion, while this seems very non-obvious, have you tried marking the packets in the OUTPUT chain? Thread where I try to understand this for the first time: https://groups.google.com/forum/#!msg/sshuttle/5U0JFrecHks/PhUGMa1RElMJ -- Brian May <[email protected]>
_______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
