iptables TPROXY gets hit but doesn't redirect to port

Question

I'm running Debian 8 with iptables.

I have the following rule:

iptables -t mangle -A PREROUTING -p tcp --dport 5000 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 4000

I simply want to redirect all traffic going with destination port 5000 to port 4000.

The standard iptables REDIRECT is not usable in my case, as it alters the packet and changes the original destination port.

Looking at iptables -t mangle -nvL I can see the rule being hit:

Chain PREROUTING (policy ACCEPT 5056 packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination
   12   720 TPROXY     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000 TPROXY redirect 0.0.0.0:4000 mark
 0x1/0x1

But my service running on port 4000 doesn't intercept the packets.

I have a simple NodeJS application listening for all TCP on port 4000, which doesn't get any packets:

server.listen(4000, () => { console.log('listening on 4000'); });

Also, running wireshark on TCP port 4000 on all interfaces doesn't show anything.

I am stumbling across the same problem. Although my setup is exactly the same, I understand the solutions to this problem can be numerous. Nonetheless, your solution might help me. How did you resolve this problem? — ficabj5, Mar 17 '21 at 16:31

yosg · Answer 1 · 2022-09-13T03:49:03.960

0

You also need to set up the routing rule:

# 1 is --tproxy-mark parameter in iptables command
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

edited Sep 13 '22 at 03:49

answered Sep 12 '22 at 16:28

yosg

1
1

iptables TPROXY gets hit but doesn't redirect to port

1 Answers1