rocka/nft-transproxy

TCP/UDP transparent proxy with predefined bypass address set, using nftables `tproxy` target.

nft-transproxy

TCP/UDP transparent proxy with predefined bypass address set, using nftables tproxy target.

convention

• TPROXY target: 127.0.0.1:1080 and ::1:1080

• reroute packet fwmark: 0x233

• ip rule and route:

  # ip rule add fwmark 0x233 lookup 100
  # ip route add local 0.0.0.0/0 dev lo table 100
  # ip -6 rule add fwmark 0x233 lookup 100
  # ip -6 route add local ::/0 dev lo table 100

  See also ExecStartPost and ExecStopPost in systemd service file.

installation

# git clone https://github.com/rocka/nft-transproxy.git /usr/local/lib/nft-transproxy
# ln -sf /usr/local/lib/nft-transproxy/systemd/tproxy-nft-ip-rule.service /etc/systemd/system/
# vim /usr/local/lib/nft-transproxy/scripts/make-direct-ipv{4,6}.sh # important! specify bypass IP (typically your proxy server)
# /usr/local/lib/nft-transproxy/scripts/make-direct-ipv{4,6}.sh # generate nft/direct-ipv{4,6}.nft
# systemctl enable --now tproxy-nft-ip-rule.service

todo

• proxy packet from other host as gateway

references

iptables

• iptables详解：图文并茂理解iptables
• 金枪鱼之夜：坏人的 iptables 小讲堂
• 金枪鱼之夜：坏人的 iptables 小讲堂第二弹
• Linux transparent proxy support
• Transparent Proxying Patches, Take 3 [LWN.net]
• iptables(8) | Arch manual pages
• iptables-extensions(8) | Arch manual pages

nftables

• 包的路由转圈圈——谈谈使用nftables配置透明代理碰到的那些坑 | KosWu 's blog
• 透明代理(TPROXY) | 新 V2Ray 白话文指南
• ipv6透明代理 - 小學霸
• nftables初体验 | I'm OWenT
• owent-utils/docker-setup
• nftables wiki
  • Configuring chains
  • Quick reference-nftables in 10 minutes
• nft(8) | Arch manual pages