I'm setting up TPROXY on my VyOS router to forward certain traffic to a local transparent proxy. It works pretty well, until I discovered that all of my DNAT port forwarding rules are no longer working (connection timeout when connecting from external network).
Environment
- Router:
10.0.0.1/24 (Proxy is running on 1234 port and adding SO_MARK with 0xff)
- Internal Host:
10.0.0.2/24 (Port 80 should be exposed to the public)
TPROXY Rules
ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
nft add table myproxy
nft add chain myproxy prerouting { type filter hook prerouting priority 0 \; }
nft add rule myproxy prerouting ip daddr { 127.0.0.1/32, 224.0.0.0/4, 255.255.255.255/32 } return
nft add rule myproxy prerouting meta l4proto tcp ip daddr 10.0.0.0/24 return
nft add rule myproxy prerouting mark 0xff return
nft add rule myproxy prerouting meta l4proto { tcp, udp } mark set 1 tproxy to 127.0.0.1:1234 accept
nft add chain myproxy output { type route hook output priority 0 \; }
nft add rule myproxy output ip daddr { 127.0.0.1/32, 224.0.0.0/4, 255.255.255.255/32 } return
nft add rule myproxy output meta l4proto tcp ip daddr 10.0.0.0/24 return
nft add rule myproxy output mark 0xff return
nft add rule myproxy output meta l4proto { tcp, udp } mark set 1 accept
nft add table filter
nft add chain filter divert { type filter hook prerouting priority -150 \; }
nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
DNAT Rules
$ nft list table nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
iifname "pppoe0" tcp dport { 8080 } counter packets 7 bytes 400 dnat to 10.0.0.2:80
}
}
Symptoms
Connecting RouterPublicIP:8080 is timing out. Ideally it should forward traffic to 10.0.0.2:80.
I guess inbound DNAT traffic is erroneously forwarded to the proxy (instead of the actual host 10.0.0.2), however I couldn't figure out the correct nft rules.
Thanks in advance!
