我想让所有经过 farword chain 的数据包都重定向到本地环回,这样我就可以代理这些流量了。我设置了 iproute2 的路由规则(所有带标记 1 的数据包都路由到本地环回),然后在 iptables 的 FORWARD 链中为数据包设置标记 1。内容如下:
PS:当我在iptables的PREROUTING链中为数据包设置标记1时,此路由规则可以正常工作。但它在iptables的FORWARD链中不起作用。我不知道原因。
// OS System:
# iptables -V
iptables v1.4.21
# uname -a
Linux centos7 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
//set mark 1 route rule
# ip rule add fwmark 1 table 100
# ip route add local 0.0.0.0/0 dev lo table 100
# ip rule
0: from all lookup local
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default
# ip route list table 100
local default dev lo scope host
// set mark 1 in FORWARD chain
# iptables -t mangle -A FORWARD -p tcp -d 169.254.2.0/24 -j MARK --set-mark 1
# iptables -nL -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
UTPROXY all -- 0.0.0.0/0 0.0.0.0/0
LOG tcp -- 192.168.11.1 0.0.0.0/0 tcp dpt:!22 LOG flags 0 level 4 prefix "pre:"
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG tcp -- 192.168.11.1 0.0.0.0/0 tcp dpt:!22 LOG flags 0 level 4 prefix "input:"
Chain FORWARD (policy ACCEPT)
target prot opt source destination
MARK tcp -- 0.0.0.0/0 169.254.2.0/24 MARK set 0x1
LOG tcp -- 192.168.11.1 0.0.0.0/0 tcp dpt:!22 LOG flags 0 level 4 prefix "forward:"
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 192.168.11.1 tcp spt:!22 LOG flags 0 level 4 prefix "output:"
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 192.168.11.1 tcp spt:!22 LOG flags 0 level 4 prefix "post:"
LOG tcp -- 192.168.11.1 0.0.0.0/0 tcp dpt:!22 LOG flags 0 level 4 prefix "post:"
Chain UTPROXY (1 references)
target prot opt source destination
TPROXY tcp -- 0.0.0.0/0 169.254.2.0/24 TPROXY redirect 0.0.0.0:2001 mark 0x1/0x1