4

I have an IP range and I want to listen on all IP addresses, assume that is 10.0.0.0/8
Using TPROXY and packet mark I can respond to TCP traffic. This range should be in local table, but I don't want outbound traffic responded locally, so I created another table (say table 10) and added local route in that table.

ip route add local 10.0.0.0/8 dev lo table 10
ip rule add fwmark 1 lookup 10
iptables -t mangle -A PREROUTING -p tcp --dport 80 -d 10.0.0.0/8 -j TPROXY --on-port 80 --on-ip 127.0.0.1 --tproxy-mark 0x1/0x1

Now I need to respond ICMP messages for this range, so I added this iptables rule:

iptables -t mangle -A PREROUTING -p icmp -d 10.0.0.0/8 -j MARK --set-mark 0x1

But after adding this rule machine gets ICMP packets but responds nothing, acting as blackhole

What am I doing wrong?

Update:
I tried sending outbound traffic to this table, but I got connect: Network is unreachable when I ping it and I believe these are related.
Try these commands to reproduce it

ip route add local 10.0.0.0/8 dev lo table 10
ip rule add to 10.0.0.0/8 lookup 10
ping 10.0.0.1
Naeem
  • 41

1 Answers1

0

TPROXY is intended for intercepting routed traffic (and with tinkering even doing it on a bridge). It can handle TCP or UDP, but not ICMP.

OP hints that the system is a final node receiving traffic rather than a router. Then all these complex settings that don't even achieve the goal are not needed.

Remove all previous alterations (iptables, ip rule, ip route ...) and do only this:

ip route add local 10.0.0.0/8 dev lo table local

End.

If one would prefer the use of a separate table to avoid alterations to the local table, this can be done instead:

ip route add local 10.0.0.0/8 dev lo table 10
ip rule add preference 10 lookup 10

Or even just this (adding it in the main table instead):

ip route add local 10.0.0.0/8 dev lo

Just be careful about other routing rules added later for other features (especially if not using the keyword preference) so this route stays evaluated among the first.

Wherever the route is added, if the lo interface is brought down then up (which seldom happens for lo), this route will disappear and will have to be added back. `

In the end:

  • no TPROXY needed
  • no mark needed
  • no NAT needed
  • not having to ponder how Strict Reverse Path Forwarding and rp_filter behave in presence of a mark
  • no need for an application to use any IP_TRANSPARENT socket option to use this range of addresses as source: the route matters, not the fact that an address was added anywhere (it wasn't).
A.B
  • 6,306