I want to redirect traffic by tproxy module in iptables by the following commands:
iptables -t mangle -I PREROUTING -p tcp -j TPROXY --on-port 1080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
iptables -t mangle -I PREROUTING -p udp -j TPROXY --on-port 1080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
To do so, I have to add the following ip route and rules:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
or
ip route add local default dev lo table 100
It appears that in order to make these ip commands persistent, I must put them into the following directory:
/etc/config/network
What is the equivalent of ip commands that I have mentioned to be put into /etc/config/network?
I have added the following commands to /etc/config/network, but it did not work:
vim /etc/config/network
config rule
option mark '0x1/0x1'
option lookup '100'
config route
option interface 'loopback'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '100'
option type 'local'
root@router:~# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
1 Like
/etc/init.d/network restart; sleep 10; \
uci show network; ip rule show
1 Like
root@Highway:~# /etc/init.d/network restart; sleep 10; \
> uci show network; ip rule show
'radio2' is disabled
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd34:3aeb:ba9a::/48'
network.wan=interface
network.wan.proto='pppoe'
network.wan.password=''
network.wan.username=''
network.wan.ifname='eth1.5'
network.wan.peerdns='0'
network.wan.ipv6='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='5t 3'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].vid='2'
network.@switch_vlan[1].ports='5t 2'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='3'
network.@switch_vlan[2].vid='3'
network.@switch_vlan[2].ports='5t 1'
network.@switch_vlan[3]=switch_vlan
network.@switch_vlan[3].device='switch0'
network.@switch_vlan[3].vlan='4'
network.@switch_vlan[3].vid='4'
network.@switch_vlan[3].ports='5t 0'
network.@switch_vlan[4]=switch_vlan
network.@switch_vlan[4].device='switch0'
network.@switch_vlan[4].vlan='5'
network.@switch_vlan[4].ports='6t 4'
network.@switch_vlan[4].vid='5'
network.PORT1=interface
network.PORT1.ifname='eth0.1'
network.PORT1.proto='static'
network.PORT1.ipaddr='192.168.1.1'
network.PORT1.netmask='255.255.255.0'
network.PORT1.macaddr=''
network.PORT2=interface
network.PORT2.ifname='eth0.2'
network.PORT2.proto='static'
network.PORT2.ipaddr='192.168.2.1'
network.PORT2.netmask='255.255.255.0'
network.PORT2.macaddr=''
network.PORT3=interface
network.PORT3.ifname='eth0.3'
network.PORT3.proto='static'
network.PORT3.ipaddr='192.168.3.1'
network.PORT3.netmask='255.255.255.0'
network.PORT3.macaddr=''
network.PORT4=interface
network.PORT4.ifname='eth0.4'
network.PORT4.proto='static'
network.PORT4.ipaddr='192.168.4.1'
network.PORT4.netmask='255.255.255.0'
network.PORT4.macaddr=''
network.@rule[0]=rule
network.@rule[0].mark='0x1/0x1'
network.@rule[0].lookup='100'
network.@rule[1]=rule
network.@rule[1].interface='loopback'
network.@rule[1].target='0.0.0.0'
network.@rule[1].netmask='0.0.0.0'
network.@rule[1].table='100'
network.@rule[1].type='local'
0: from all lookup local
2: from all nop
32766: from all lookup main
32767: from all lookup default
1 Like
Check the output:
ubus call system board
opkg list-installed ip-\*
readlink -f $(type -p ip)
1 Like
root@router:~# ubus call system board
{
"kernel": "4.14.180",
"hostname": "router",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,rango",
"release": {
"distribution": "OpenWrt",
"version": "19.07.3",
"revision": "r11063-85e04e9f46",
"target": "mvebu/cortexa9",
"description": "OpenWrt 19.07.3 r11063-85e04e9f46"
}
}
root@router:~# opkg list-installed | grep -e ^ip-
ip-full - 5.0.0-2.1
root@router:~# readlink -f $(type -p ip)
/usr/libexec/ip-full
1 Like
Your rules are working for me.
And your system/package versions look fine.
That's weird.
Check the logs after restarting the network.
If nothing helps, try to upgrade to OpenWrt 19.07.4.
1 Like
I updated to OpenWRT v19.07.4, but the problem was not solved.
1 Like
I finally found a solution to this issue using hotplug.
These were the problems that I faced:
- The policy routing commands did not run when saved in
/etc/config/network
.
- Even when commands were run via command-line interface over SSH, restarting network interfaces or firewall somehow deleted policy routing commands.
So, I saved IP commands in the following files:
/etc/hotplug.d/firewall/30-iproute
/etc/hotplug.d/iface/30-iproute
Commands which are saves in the two files:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
And these are the custom firewall rules to establish a transparent proxy which supports both TCP
and UDP
redirection:
#Redirecting everything else:
iptables -t mangle -I PREROUTING -p tcp -j TPROXY --on-port 1080 --tproxy-mark 1
iptables -t mangle -I PREROUTING -p udp -j TPROXY --on-port 1080 --tproxy-mark 1
#Excluding DHCP Lease Renewal:
iptables -t mangle -I PREROUTING -p udp -m multiport --ports 67:68 -j RETURN
#Excluding local IPs:
iptables -t mangle -I PREROUTING -d 192.168.0.0/16 -j RETURN
system
Closed
11
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.