Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support iptables tproxy #80

Merged
merged 8 commits into from
Jun 4, 2023
Merged

feat: support iptables tproxy #80

merged 8 commits into from
Jun 4, 2023

Conversation

mzz2017
Copy link
Contributor

@mzz2017 mzz2017 commented May 13, 2023
edited

Motivation

Support to use iptables to redirect traffic to dae, which allows user to use another method to redirect traffic to dae.

Modification

  1. Give an option to allow user to disable tproxy port protection. Tproxy port protection strictly checks all packets to tproxy port of dae.
  2. Allow to set so_mark from dae to avoid traffic loop.

Example

To redirect all traffic to dae:

global {
    tproxy_port: 12345
    tproxy_port_protect: false
    so_mark_from_dae: 0x80
    #...
}
ip rule add fwmark 0x40/0xc0 table 100
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -N TP_PRE
iptables -t mangle -A PREROUTING -j TP_PRE
iptables -t mangle -N TP_OUT
iptables -t mangle -A OUTPUT -j TP_OUT
iptables -t mangle -N TP_MARK
iptables -t mangle -A TP_MARK -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 0x40/0x40
iptables -t mangle -A TP_MARK -p udp -m conntrack --ctstate NEW -j MARK --set-xmark 0x40/0x40
iptables -t mangle -A TP_MARK -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
iptables -t mangle -A TP_OUT -m mark --mark 0x80/0x80 -j RETURN
iptables -t mangle -N TP_RULE
iptables -t mangle -A TP_OUT -p tcp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j TP_RULE
iptables -t mangle -A TP_OUT -p udp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j TP_RULE
iptables -t mangle -A TP_PRE -i lo -m mark ! --mark 0x40/0xc0 -j RETURN
iptables -t mangle -A TP_PRE -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j TP_RULE
iptables -t mangle -A TP_PRE -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j TP_RULE
iptables -t mangle -A TP_PRE -p tcp -m mark --mark 0x40/0xc0 -j TPROXY --on-port 12345 --on-ip 127.0.0.1
iptables -t mangle -A TP_PRE -p udp -m mark --mark 0x40/0xc0 -j TPROXY --on-port 12345 --on-ip 127.0.0.1
iptables -t mangle -A TP_RULE -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
iptables -t mangle -A TP_RULE -m mark --mark 0x40/0xc0 -j RETURN
iptables -t mangle -A TP_RULE -i docker+ -j RETURN
iptables -t mangle -A TP_RULE -p udp -m udp --dport 53 -j TP_MARK
iptables -t mangle -A TP_RULE -p tcp -m tcp --dport 53 -j TP_MARK
iptables -t mangle -A TP_RULE -m mark --mark 0x40/0xc0 -j RETURN
iptables -t mangle -A TP_RULE -d 192.168.31.0/24 -j RETURN
iptables -t mangle -A TP_RULE -d 172.20.0.0/16 -j RETURN
iptables -t mangle -A TP_RULE -d 172.17.0.0/16 -j RETURN
iptables -t mangle -A TP_RULE -d 172.19.0.0/16 -j RETURN
iptables -t mangle -A TP_RULE -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A TP_RULE -d 0.0.0.0/32 -j RETURN
iptables -t mangle -A TP_RULE -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A TP_RULE -d 100.64.0.0/10 -j RETURN
iptables -t mangle -A TP_RULE -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A TP_RULE -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A TP_RULE -d 192.0.0.0/24 -j RETURN
iptables -t mangle -A TP_RULE -d 192.0.2.0/24 -j RETURN
iptables -t mangle -A TP_RULE -d 192.88.99.0/24 -j RETURN
iptables -t mangle -A TP_RULE -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A TP_RULE -d 198.51.100.0/24 -j RETURN
iptables -t mangle -A TP_RULE -d 203.0.113.0/24 -j RETURN
iptables -t mangle -A TP_RULE -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A TP_RULE -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A TP_RULE -j TP_MARK

TODO

  • More considerations about udp domain resolving.

@mzz2017 mzz2017 force-pushed the feat_support_iptables_tproxy branch from e9499d5 to af981ac Compare May 13, 2023 07:05
This was referenced May 30, 2023
Merged
Closed
@mzz2017 mzz2017 marked this pull request as ready for review June 4, 2023 02:45
miooochi
miooochi reviewed Jun 4, 2023
View reviewed changes
example.dae Show resolved Hide resolved
@mzz2017 mzz2017 merged commit ee09ae1 into main Jun 4, 2023
13 checks passed
@mzz2017 mzz2017 deleted the feat_support_iptables_tproxy branch June 4, 2023 03:38
@mzz2017 mzz2017 mentioned this pull request Jun 4, 2023
Merged
@mzz2017 mzz2017 mentioned this pull request Jun 17, 2023
Merged
3 tasks
mzz2017 added a commit that referenced this pull request Jun 25, 2023
@mzz2017
fix: bad connectivity check of dns(udp) caused by #80
afb1f62
@mzz2017 mzz2017 mentioned this pull request Jun 25, 2023
Merged
3 tasks
mzz2017 added a commit that referenced this pull request Jun 25, 2023
@mzz2017
fix: bad connectivity check of dns(udp) caused by #80 (#155)
5508c37
MarksonHon pushed a commit to MarksonHon/dae that referenced this pull request Jun 26, 2023
@mzz2017
fix: bad connectivity check of dns(udp) caused by daeuniverse#80 (dae…
a87bbcb 
…universe#155)
@miooochi miooochi mentioned this pull request Jun 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kunish kunish kunish approved these changes

@miooochi miooochi miooochi approved these changes

Assignees

@mzz2017 mzz2017

Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mzz2017 @kunish @miooochi