我想将所有 DNS 流量重定向到代理。为此,我在 nftables 中设置了以下规则:
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
udp dport 53 tproxy to :1 accept
tcp dport 53 tproxy to :1 accept
}
代理绑定到端口1并设置一些套接字选项:
err4 = unix.SetsockoptInt(fd, unix.SOL_IP, unix.IP_TRANSPARENT, 1)
if err4 == nil {
err4 = unix.SetsockoptInt(fd, unix.SOL_IP, unix.IP_RECVORIGDSTADDR, 1)
}
但是当我运行代理时,DNS 流量不知为何无法到达它。有趣的是,当我关闭代理时,DNS 流量直接到达其原始目标地址。
我尝试追踪 nftables 规则的应用方式,nft monitor trace结果显示:
trace id a7cc39a5 inet metal prerouting packet: iif "vlan20" ether saddr 52:54:00:c8:4f:dd ether daddr 52:19:cd:e8:a1:89 vlan pcp 0 vlan cfi 0 vlan id 1001 ip saddr 10.0.24.2 ip daddr 1.1.1.1 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 27564 ip protocol udp ip length 56 udp sport 33222 udp dport 53 udp length 36 @th,64,96 17776049973980271729501536256
trace id a7cc39a5 inet metal prerouting rule udp dport 53 tproxy to :1 meta nftrace set 1 accept (verdict accept)
trace id a7cc39a5 inet nat prerouting verdict continue
trace id a7cc39a5 inet nat prerouting policy accept
看起来所有规则都已成功应用。