Hi,
I’m trying to setup transparent proxy with iptables TPROXY to intercept traffic from a client and redirect to a proxy software. The configuration works when client is connected to a standalone interface, but doesn’t work when connected to an interface is part of a bridge.
I tried the same TPROXY configuration on a bridge in vanilla Debian 12 and it works fine.
Is there some customization on VyOS 1.4.0 that prevented TPROXY from working on a bridge? Thanks!
Client is connected to eth1 with IP 192.168.3.2 and gateway 192.168.3.1
TPROXY configuration that redirects traffic to port 12345 on localhost:
ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -A PREROUTING -s 192.168.3.0/24 -d 127.0.0.1/32 -j RETURN
iptables -t mangle -A PREROUTING -s 192.168.3.0/24 -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A PREROUTING -s 192.168.3.0/24 -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A PREROUTING -s 192.168.3.0/24 -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A PREROUTING -s 192.168.3.0/24 -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1
VyOS config with which TPROXY works (proxy software receives redirected traffic):
interfaces {
ethernet eth0 {
address dhcp
hw-id xx:xx:xx:xx:xx:xx
}
ethernet eth1 {
address 192.168.3.1/24
hw-id xx:xx:xx:xx:xx:xx
}
ethernet eth2 {
hw-id xx:xx:xx:xx:xx:xx
}
ethernet eth3 {
hw-id xx:xx:xx:xx:xx:xx
}
ethernet eth4 {
hw-id xx:xx:xx:xx:xx:xx
}
loopback lo {
}
}
VyOS config with which TPROXY doesn’t work (proxy software does not receive redirected traffic):
interfaces {
bridge br0 {
address 192.168.3.1/24
member {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
}
}
ethernet eth0 {
address dhcp
hw-id xx:xx:xx:xx:xx:xx
}
ethernet eth1 {
hw-id xx:xx:xx:xx:xx:xx
}
ethernet eth2 {
hw-id xx:xx:xx:xx:xx:xx
}
ethernet eth3 {
hw-id xx:xx:xx:xx:xx:xx
}
ethernet eth4 {
hw-id xx:xx:xx:xx:xx:xx
}
loopback lo {
}
}