Using iptables TPROXY to listen on all ports with outgoing traffic

Glaslos

4/10/24, 9:45 AM

My issue is that I can't establish an outgoing connection.

I followed this blog post to use TPROXY to redirect any TCP connection to a single listener:

iptables -t mangle -I PREROUTING -i eth0 -p tcp -j TPROXY --on-port=1234 --on-ip=127.0.0.1

I replaces the -d 192.0.2.0/24 with -i eth0 but from my understanding this shouldn't make a difference from the problem I'm facing.

I'm running a listener with IP_TRANSPARENT and I get all connections as expected.

Occasionally I want to establish outgoing TCP connections and if I read it correctly, the SYN packets go out as expected but any response get picked up by the TPROXY rule and are dropped.

I assume there is a possible solution using routing?

As suggested I tried adding a route for outgoing connection like this:

echo "10 tproxy" >> /etc/iproute2/rt_tables
ip rule add from 10.x.x.81 table tproxy
ip route add default via 10.x.x.80 dev ens2 table tproxy

# ip rule show
0:      from all lookup local
32764:  from 10.x.x.81 lookup tproxy
...
# ip route show table tproxy
default via 10.64.70.80 dev ens2

And update the iptables rule to:

-A PREROUTING ! -s 10.x.x.81/32 -i ens2 -p tcp -m tcp ! --dport 22 -j TPROXY --on-port 5000 --on-ip 127.0.0.1

Still with the same issue:

11:42:28.172268 IP hostname.46324 > remote.https: Flags [S], seq 2783956497, win 64240, options [mss 1460,sackOK,TS val 1288228251 ecr 0,nop,wscale 7], length 0
11:42:28.173479 IP remote.https > hostname.46324: Flags [S.], seq 573845087, ack 2783956498, win 65160, options [mss 1460,sackOK,TS val 3249746343 ecr 1288227230,nop,wscale 7], length 0
11:42:29.202975 IP remote.https > hostname.46324: Flags [S.], seq 573845087, ack 2783956498, win 65160, options [mss 1460,sackOK,TS val 3249747372 ecr 1288227230,nop,wscale 7], length 0
11:42:29.620887 IP hostname.46334 > remote.https: Flags [S], seq 1774017241, win 64240, options [mss 1460,sackOK,TS val 1288229700 ecr 0,nop,wscale 7], length 0
11:42:29.621686 IP remote.https > hostname.46334: Flags [S.], seq 1078655880, ack 1774017242, win 65160, options [mss 1460,sackOK,TS val 3249747791 ecr 1288229700,nop,wscale 7], length 0

237

1 + 0

linux

routing

iptables

Score:0

Server

Saxtheowl

4/10/24, 10:50 AM

Yes because TPROXY rule is intercepting all incoming traffic and redirecting it to the listener

You could allow outgoing connections is to use policy routing to route the outgoing traffic around the TPROXY rule

Here is how: first we create a new routing table echo "10 tproxy" >> /etc/iproute2/rt_tables then we add new routing rule ip rule add from <your_ip_address> table tproxy then we add a new defaut route ip route add default via <your_default_gateway> dev eth0 table tproxy finaly we modify TPROXY rule to only match traffic that is not originating from our IP address

iptables -t mangle -I PREROUTING ! -s <your_ip_address> -i eth0 -p tcp -j TPROXY --on-port=1234 --on-ip=127.0.0.1

+ 1

Glaslos

4/10/24, 11:18 AM

Here is my default route: `default via 10.x.x.80 dev ens2 proto dhcp src 10.x.x.81 metric 100` New route as per your suggestion: `ip route show table tproxy` `default via 10.x.x.80 dev ens2` Here is the iptables rule: `TPROXY tcp -- !<hostname> anywhere tcp dpt:!ssh TPROXY redirect 127.0.0.1:5000`

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Using iptables TPROXY to listen on all ports with outgoing traffic

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.