-
-
Save superstes/c4fefbf403f61812abf89165d7bc4000 to your computer and use it in GitHub Desktop.
IPTables TPROXY - proxy input and output
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # target: squid-openssl 4.13 with listener "http_port 127.0.0.1:3129 tproxy" | |
| # see also: | |
| # https://docs.kernel.org/networking/tproxy.html | |
| # https://blog.cloudflare.com/mmproxy-creative-way-of-preserving-client-ips-in-spectrum/ | |
| # https://latest.gost.run/en/tutorials/redirect/#forwarding-chain_1 | |
| # you might need to enable some iptables/nftables kernel modules: | |
| # https://docs.kernel.org/networking/tproxy.html#iptables-and-nf-tables-extensions | |
| # you will also have to configure a loopback route if you want to proxy 'output' traffic: | |
| # echo "200 proxy_loopback" > /etc/iproute2/rt_tables.d/proxy.conf | |
| # these need to be configured persistend (maybe use an interface up-hook) | |
| # ip rule add fwmark 200 table proxy_loopback | |
| # ip -6 rule add fwmark 200 table proxy_loopback | |
| # ip route add local 0.0.0.0/0 dev lo table proxy_loopback | |
| # ip -6 route add local ::/0 dev lo table proxy_loopback | |
| # can be checked using: | |
| # ip rule list | |
| # ip -6 rule list | |
| # ip -d route show table all | |
| # you might need to set a sysctl: | |
| # sysctl -w net.ipv4.conf.all.route_localnet=1 | |
| # you might want to block 127.0.0.1 on non loopback interfaces if you enable it: | |
| # iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP | |
| # iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP | |
| MARK_PROXY=200 | |
| MARK_DONE=201 | |
| PROXY_UID=13 | |
| PROXY_PORT=3129 | |
| EXCLUDE_NETS=(127.0.0.0/8 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12) | |
| iptables -t mangle -N PROXY_SESSION | |
| iptables -t mangle -A PROXY_SESSION -j MARK --set-mark "$MARK_PROXY" | |
| iptables -t mangle -A PROXY_SESSION -j ACCEPT | |
| iptables -t mangle -A PREROUTING -p tcp -m socket -j PROXY_SESSION | |
| # iptables -t mangle -A PREROUTING -m mark --mark $MARK_PROXY -j LOG --log-prefix "PRE MARK PROXY" | |
| # iptables -t mangle -A PREROUTING -m mark --mark $MARK_DONE -j LOG --log-prefix "PRE MARK DONE" | |
| iptables -t mangle -N PROXY_REDIRECT | |
| iptables -t mangle -A PROXY_REDIRECT -p tcp -m mark --mark "$MARK_DONE" -j RETURN | |
| for net in "${EXCLUDE_NETS[@]}" | |
| do | |
| iptables -t mangle -A PROXY_REDIRECT -p tcp -d "$net" -j RETURN | |
| done | |
| iptables -t mangle -A PROXY_REDIRECT -p tcp -j TPROXY --tproxy-mark "$MARK_PROXY/$MARK_PROXY" --on-ip 127.0.0.1 --on-port "$PROXY_PORT" | |
| iptables -t mangle -A PREROUTING -p tcp -j PROXY_REDIRECT | |
| iptables -t mangle -A PREROUTING -m mark --mark "$MARK_DONE" -j CONNMARK --save-mark | |
| iptables -t mangle -N OUTPUT_LOOP | |
| iptables -t mangle -A OUTPUT_LOOP -m owner --uid-owner "$PROXY_UID" -j RETURN | |
| iptables -t mangle -A OUTPUT_LOOP -m owner --uid-owner "$PROXY2_UID" -j RETURN | |
| iptables -t mangle -A OUTPUT_LOOP -p tcp -m mark --mark "$MARK_DONE" -j RETURN | |
| for net in "${EXCLUDE_NETS[@]}" | |
| do | |
| iptables -t mangle -A OUTPUT_LOOP -p tcp -d "$net" -j RETURN | |
| done | |
| iptables -t mangle -A OUTPUT_LOOP -p tcp -d 255.255.255.255/32 -j RETURN | |
| iptables -t mangle -A OUTPUT_LOOP -p tcp -j MARK --set-mark "$MARK_PROXY" | |
| iptables -t mangle -A OUTPUT -m connmark --mark "$MARK_DONE" -j CONNMARK --restore-mark | |
| # iptables -t mangle -A OUTPUT -m mark --mark $MARK_PROXY -j LOG --log-prefix "OUT MARK PROXY" | |
| # iptables -t mangle -A OUTPUT -m mark --mark $MARK_DONE -j LOG --log-prefix "OUT MARK DONE" | |
| iptables -t mangle -A OUTPUT -p tcp -j OUTPUT_LOOP | |
| iptables -t mangle -A OUTPUT -m mark --mark "$MARK_DONE" -j MARK --set-mark 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment