How to exclude traffic bound for host in a prerouting chain (iptables)?

I'm trying to transparent-proxy a device from my router. The iptables rules look like this:

{iptables | ip6tables} -t mangle -A PREROUTING -m mac --mac-source <mac_address> -p {tcp | udp} -j TPROXY --on-port 60080 --tproxy-mark 0x1

How to exclude the traffic destined for the router, so the device can access the router in general? (The device can't obtain IP with this rule, also I have a DNS resolver on the router)

For IPv4, I can use the NAT IP of the router, e.g. ! -d 192.168.1.1
But in IPv6, the br-lan interface only has a public IP address.
I tried --out-interface but it can't be used in PREROUTING.
I also tried --destination 'br-lan' but it says br-lan is a bad argument.

On a related note:
ip -6 route add local default dev lo table 100
doesn't show up when I try
ip -6 route show table 100
but it's in
ip -6 route show table all
I'm not sure if this means it's not working... on Ubuntu PC table 100 does show the route.

https://openwrt.org/docs/guide-user/services/tor/client#firewall

https://openwrt.org/docs/guide-user/base-system/basic-networking?s=ula_prefix#global_section

1 Like

Turns out it's quite simple:
iptables -t mangle -A PREROUTING -p {tcp | udp} -m addrtype ! --dst-type LOCAL,BROADCAST -m mac --mac-source <mac_address> -j TPROXY --on-port 60080 --tproxy-mark 0x1

BROADCAST for excluding DHCPv4
This particular command need modules: iptables-mod-extra, kmod-ipt-tproxy, iptables-tproxy
Nintendo Switch doesn't seem to have IPv6 (no config, no show address, no link local correspond to mac) so I didn't try ip6tables.
(Though the best way to test is probably using DHCPv6 and see if Switch asks for a lease)

However, my proxy is no receiving any traffic...
The rule doesn't seem wrong, forwarding=1 and rp_filter=0 by default.
Is it because of missing kernel configuration? Oh dear...

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.