Transparent proxy client not receiving any traffic?

Installing and Using OpenWrt Network and Wireless Configuration
1

The device complains about "unable to reach server". The proxy program shows nothing received in debug mode.

Configuration:

  1. The routing table and rule: /etc/config/network, restarted network in LuCI after editing
config route
	option interface 'lan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option type 'local'
	option table '100'

config rule
	option mark '0x1'
	option lookup '100'
  1. iptables marking traffic: In LuCI: Network -> Firewall -> Custom rules
iptables -t mangle -A PREROUTING -p tcp -m addrtype ! --dst-type LOCAL,BROADCAST -m mac --mac-source <mac_address_redacted> -j TPROXY --on-port 60080 --tproxy-mark 0x1
iptables -t mangle -A PREROUTING -p udp -m addrtype ! --dst-type LOCAL,BROADCAST -m mac --mac-source <mac_address_redacted> -j TPROXY --on-port 60080 --tproxy-mark 0x1
  1. The proxy client is listening on 127.0.0.1:60080
  2. By default: sysctl net.ipv4.conf.all.forwarding=1 and net.ipv4.conf.all.rp_filter = 0

Possible problem:

  1. The route is not exactly identical to ip -4 route add local default dev lo table 100
    LuCI doesn't have Interface: lo available in Static route
    But here says it doesn't matter.
  2. Kernel config is needed?
2

According to the documentation, the route should be created on the loopback interface:
https://www.kernel.org/doc/Documentation/networking/tproxy.txt

1 Like
3

I changed it to option interface 'loopback' and rebooted, but still the same...

4

The interface names are uci based. Do you have a loopback interface in uci? ifstatus loopback
If not, create one unmanaged and assign it to lo interface.

1 Like
5

Yes, ifstatus loopback shows a bunch of stuff, and loopback is the logical name for lo in /etc/config/network

6

Does firewall rule need to be edited? I'm using the default firewall rules.

7

Nvm, I'm dumb, the part I'm showing here is correct.
I wrote the config file (need underscore _) for the proxy program with command line (hyphen -) syntax which caused it to listen in traditional redirect mode...
Also tproxy seems to need root privilege.
I'm just glad it's working now...

EDIT: Another thing, add --on-ip 127.0.0.1 to iptables if proxy is listening on that. By default, without it, tproxy goes to receiving interface (192.168.1.1)

2 Likes
8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.