[SOLVED]Iptable redirect on the router to affect connections originating from router?

I am using a transparent proxy on my router (linksys wrt1200ac) but it only affects the packets coming from LAN (WiFi and LAN) but not for a process running on the router.

this is the firewall commands:

iptables -t nat -N TorTransPort;
iptables -t nat -A TorTransPort -d 0.0.0.0/8 -j RETURN;
iptables -t nat -A TorTransPort -d 10.0.0.0/8 -j RETURN;
iptables -t nat -A TorTransPort -d 127.0.0.0/8 -j RETURN;
iptables -t nat -A TorTransPort -d 169.254.0.0/16 -j RETURN;
iptables -t nat -A TorTransPort -d 172.16.0.0/12 -j RETURN;
iptables -t nat -A TorTransPort -d 192.168.0.0/16 -j RETURN;
iptables -t nat -A TorTransPort -d 224.0.0.0/4 -j RETURN;
iptables -t nat -A TorTransPort -d 240.0.0.0/4 -j RETURN;
iptables -t nat -A TorTransPort -d 192.168.1.1/32 -j RETURN;
iptables -t nat -A TorTransPort -m set --match-set myfilterset dst -p tcp --dport 80 -j REDIRECT --to-port 9040;
iptables -t nat -A TorTransPort -m set --match-set myfilterset dst -p tcp --dport 443 -j REDIRECT --to-port 9040;
iptables -t nat -A PREROUTING -p tcp -m multiport --dports 80,443 -j TorTransPort;

is there anyway to have that too?
I think prerouting only work on incoming connection(not local ones) but I am not a iptable pro so I don't know the way to fix this.

Check table 6.2 step 6.
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGGENERAL

You could try to DNAT traffic from Loopback interface on the Output chain.

See local process path:
https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg

1 Like

is DNAT destination NAT?
doesnt that make my packet lose its destination?

I am a noob with iptable.
it is too complicated for me.
can you do me a favor and write the line too?

"iptables -t nat -A OUTPUT -m set --match-set myfilterset dst -p tcp --dport 443 -j REDIRECT --to-port 9040;"
this doesnt work.
it gives this error:"
iptables -t nat -A OUTPUT -p tcp -m multiport --dports 80,443 -j TorTransPort;
curl -v https://www.youtube.com

so it is affecting it but I think something is wrong and maybe it just changes the port not the ip.

I suspect it's using load balancing and your ipset doesn't include all the addresses.

Sorry for the DNAT, I forgot that redirect is working on OUTPUT too.

iptables -t nat -A OUTPUT -p tcp -m multiport --dports 80,443 -j TorTransPort

Here you send the http/s packets to TorTransport chain.

iptables -t nat -A OUTPUT -m set --match-set myfilterset dst -p tcp --dport 443 -j REDIRECT --to-port 9040

So basically this should be already in the TorTransport chain from the PREROUTING rules and not in OUTPUT. Right?

But how do you differentiate the traffic that originates from the router from the traffic that originates from the proxy process of the router? The traffic of the proxy will also be subject to redirect on OUTPUT the way I see it. So eventually you'll have an endless loop.

my ipset works for the lan connection that go through the router.

I didnt issue two OUTPUT chains .
it was one and later changed a bit.
"
iptables -t nat -A OUTPUT -p tcp -m multiport --dports 80,443 -j TorTransPort

iptables -t nat -A OUTPUT -m set --match-set myfilterset dst -p tcp --dport 443 -j REDIRECT --to-port 9040
"
the second one I used to see it I didnt use my own totransport chain,would it work.
I only use one.

because in that page the was pointed linked to me, it says that I have to use either postrouting or output for nat.
and redirect doesnt work on postrouting.

so I tried the nat table with OUTPUT chain.

Alright then. But did you consider the loop thing? You need to exclude the traffic that originates from the proxy process.

the proxy process is Tor which uses other port thatn 80 and 443.
and the ipset I use doesnt include tor endpoint, but sites like youtube and so on that are blocked in my country.

It works:

# service firewall restart
# iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080
# tcpdump -i any port 8080 &
# curl -4 openwrt.org
18:00:02.088148 IP aetera.net.42896 > localhost.8080: Flags [S], seq 1834698548, win 29200, options [mss 1460,sackOK,TS val 2565805898 ecr 0,nop,wscale 7], length 0
18:00:02.088147 IP aetera.net.42896 > localhost.8080: Flags [S], seq 1834698548, win 29200, options [mss 1460,sackOK,TS val 2565805898 ecr 0,nop,wscale 7], length 0

Just make sure you don't forget IPv6:

# opkg update
# opkg install kmod-ipt-nat6
# ip6tables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080

I am sorry but have you tested that on an actual site?
I tested with youtube on port 80 and 443 and it didnt work.
the tcpdump that you show only shows that the port changed to 8080 and ip to localhost but this is not always the desired result.
for example if I redirect a site by changing its packet destination ip and port to localhost and port of Tor proxy ,it may not work if I just change the port and ip and not correctly use DNAT so that tor know that I am acutally not trying to talk to it but use it to proxy to the actual domain.

what I am saying is maybe the iptable command that is used destroys the actual destination info (sorry I dont know how to correctly say this) and tor see the packed trying to connect to localhost on port 443 and not see the actual eventual domain.

DNAT and REDIRECT do more or less the same thing. Rewrite the destination IP and PORT of the packet. In DNAT case, you can rewrite to any IP, in REDIRECT it rewrites to the device itself.
The vital information of the http/s part is inside the data part of the packet, so a proxy can understand which server to query on behalf of the host.

Yes it does rewrite the destination ip and port.

FYI, openwrt.org is a domain hosting an actual site.

The headpost states the issue as creating a redirect for local traffic.
And suggested iptables configuration do its job as expected.

Then you try to solve entirely different issue, that is transparent proxy for HTTP+HTTPS.
No wonder, it's not working, because SSL validation fails.

I am not 100% sure but I dont think that is correct.
but I am not informed enough to argue with you.
but I know that If I change a destination ip of a packet and send it to Tor it doesnt matter the https part and tor doesnt redirect it to the correct domain.
but enough of that argument.

my issue is still present and the iptable command doesnt redirect youtube(test domain I use) through tor proxy.
so any idea how to get that working?

how do I quote when I anwser so that I give the correct answer to correct post?

about the ssl fail, I am happily using https transparent proxy and it works.
it work for the clients that connect to router via wifi or lan.
my issue is getting it working for connections originating from openwrt router itself too.

what I meant by actual domain was that ,did you test with transparent proxy and actual domain and a connection to that domain from the router itself.

like running this from openwrt itself:
curl https://openwrt.com

also about the headpost I used a small description in title and that was not correct, but I did describe the whole issue in the post.
EDIT: changed the title,

Whatever, you should use tcpdump and your client and proxy server logs for troubleshooting.
Otherwise there's no way to diagnose the issue.

Just click to highlight the part you want to quote and hit the quote button.
image

Then you should not rewrite the destination field, rather than make a routing decision that the packet will be forwarded to the tor tunnel instead of your ISP.

The main issue here is that you don't explain properly what you have and what you want to achieve.
You keep using the word proxy, while it is a tor tunnel. The proxy can understand where the packet is heading to, even if the destination IP in the header is not the one of the server. Tunnels on the other hand don't.

As suggested by @vgaetera, tcpdump is your friend there.

1 Like

I am sorry if I was not clear about my issue.
my issue is this.
I use tor in transparent mode and use nat table and prerouting chain to redirect my connections to some domains(IPs) through the the tor (running on openwrt on port 9040).
now as seen in my iptable commands the packets that are originating from my lan and are for example going to youtube.com get routed through tor( routed as in go through it with the redirect command and tor understand the destination without me doing anything to my browsers, so transparently).

but I cant make this happen for connections originating from the router to youtube.
that is all of my issue.

hope it is clear this time.

1 Like
youtube.com and www.youtube.com nslookup
root@OpenWrt:~# nslookup www.youtube.com
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      www.youtube.com
www.youtube.com	canonical name = youtube-ui.l.google.com
Name:      youtube-ui.l.google.com
Address 1: 172.217.15.78
Address 2: 172.217.8.14
Address 3: 172.217.7.174
Address 4: 172.217.15.110
Address 5: 172.217.164.174
Address 6: 172.217.164.142
Address 7: 172.217.5.238
www.youtube.com	canonical name = youtube-ui.l.google.com
Address 8: 2607:f8b0:4004:815::200e


root@OpenWrt:~# nslookup youtube.com
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      youtube.com
Address 1: 172.217.164.174
Address 2: 2607:f8b0:4004:815::200e

  • You made rules for all these IPs?
  • Did you also make rules for all the IP that stream the content as well?
  • Make sure you don't accidentally break/redirect Google too
1 Like