旧代码中有一些IP路由规则,但我不知道它们的含义:
ip route flush table 100
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
答案1
答案2
这段代码肯定是 Linux 上透明代理设置的一部分(使用 iptables'socket匹配和TPROXY目标或 nftables 的socket表达和tproxy陈述)。
来自Linux内核的文档tproxy.txt:
1. Making non-local sockets work ================================ The idea is that you identify packets with destination address matching a local socket on your box, set the packet mark to a certain value: # iptables -t mangle -N DIVERT # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT # iptables -t mangle -A DIVERT -j MARK --set-mark 1 # iptables -t mangle -A DIVERT -j ACCEPT Alternatively you can do this in nft with the following commands: # nft add table filter # nft add chain filter divert "{ type filter hook prerouting priority -150; }" # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept And then match on that value using policy routing to have those packets delivered locally: # ip rule add fwmark 1 lookup 100 # ip route add local 0.0.0.0/0 dev lo table 100
第一个命令为标记的数据包选择备用路由表。第二个命令将内容添加到此路由表中:拦截数据包(本应被路由但已被转移)以在本地系统上结束。
上面的第一部分是保持状态:被转移的连接(通过下面的部分)将继续被转移,因为目标地址不是本机主机地址,但仍然存在于本地套接字上,通过以下方式启用套接字选项 IP_TRANSPARENT:
Note that for this to work you'll have to modify the proxy to enable (SOL_IP, IP_TRANSPARENT) for the listening socket.
必须有一个专门的应用程序来处理这个问题。例如乌贼或者哈代理具有与以下 tproxy 规则匹配的足够配置:
The 'TPROXY' target provides similar functionality without relying on NAT. Simply add rules like this to the iptables ruleset above: # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 --on-port 50080 Or the following rule to nft: # nft add rule filter divert tcp dport 80 tproxy to :50080 meta mark set 1 accept