Exclude a device from the transparent proxy - TPROXY

Question

I need my device with 10.10.10.214 IPv4 address to bypass the transparent proxy my router enforces.

My current mangle table on the router:

# iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DIVERT
-N PROXY
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -j PROXY
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
-A PROXY -s 10.10.10.214/32 -j RETURN
-A PROXY -d 0.0.0.0/8 -j RETURN
-A PROXY -d 10.0.0.0/8 -j RETURN
-A PROXY -d 127.0.0.0/8 -j RETURN
-A PROXY -d 169.254.0.0/16 -j RETURN
-A PROXY -d 172.16.0.0/12 -j RETURN
-A PROXY -d 192.168.0.0/16 -j RETURN
-A PROXY -d 224.0.0.0/4 -j RETURN
-A PROXY -d 240.0.0.0/4 -j RETURN
-A PROXY -p tcp -j TPROXY --on-port 12345 --on-ip 127.0.0.1 --tproxy-mark 0x1/0xffffffff

MASQUERADE is enabled on the WAN interface

I inserted -A PROXY -s 10.10.10.214/32 -j RETURN to bypass the proxy for 10.10.10.214. Wireshark packet capture on LAN & WAN shows that source IP is translated to WAN IP, however it won't translate and send the response back to the device.

Packet Capture Screenshot

What am I missing?

Answer 1

I've been brainstorming over this issue and I've figured out what's going wrong.

A packet, first, goes through the mangle table, then goes to the nat table to have the nat rules applied on the packet (I use MASQUERADE for that).

We can easily differentiate traffic coming from 10.10.10.214 and make it bypass the transparent proxy:

iptables -t mangle -I PREROUTING -s 10.10.10.214/32 -j RETURN

However, when traffic comes back from the internet with the destination of our router's IPv4 address, there's no way to differentiate whether it is intended for our device or not. This differentiation is made on the nat table (with the MASQUERADE rule in my case) but before the packets are processed on the nat table, they will match the TPROXY rule on the mangle table, which causes this problem.

So, instead of differentiating traffic for 10.10.10.214, just let all the traffic on the WAN interface bypass the TPROXY rule (except the proxy traffic which is marked, therefore excluded):

iptables -t mangle -I PREROUTING -i pppoe-wan -j RETURN

With these two commands, one could successfully exclude a device from transparent proxy.