Pass docker container network through host iptables tproxy
I have a TPROXY-supported proxy server running on my machine (listening on 127.0.0.1:8080). I configured iptables to redirect traffic to this proxy server using `TPROXY` target as below:
Code:
ip route add local default dev lo table 100 I also used `LOG` iptables target for every chain in every table to see how packets traverse through, and to debug (or guess) what the issue is. From what I understood, for locally-generated packets as they pass through `mangle` table `OUTPUT` chain, they are marked with fwmark 1, then routed to `lo` device (instead of the default internet-connected device `eth0`) because of the `ip route`, and `ip rule` commands, and they will then received on `lo` device, which get redirected to the proxy server by `tproxy` target defined in `mangle` table's `PREROUTING` chain, and the rest of the proxying process. On the other hand, for packets sent from Docker container, they are first received on `docker0` (default Docker bridge network device), and once they are redirected by `tproxy` target, the packet [I]hangs_/I] in `nat` table `INPUT` chain, which AFAIK is just before they are handed over to the proxy server process. As I don't see any log message from proxy server, I guess these packets are being dropped (?) somehow. I tested the followings as well: - Running the proxy server bounded to `0.0.0.0` - Enabling `net.ipv4.ip_forward` kernel option - Letting `docker0` packets to pass through the `mangle` table `PREROUTING` chain first by just marking them with fwmark 1 (without jumping to `tproxy`), and let `ip route` to re-route them back to `lo` (similar to what happens for locally-generated packets), and then apply tproxy redirection for the associated packet that is received later on on the `lo` device. This works as expected for the forwared packet, but the corresponding packet that is received on `lo` device hangs right after the `mangle` table's `PREROUTING` chain and does no proceed. But with no results... Any help is appreciated. As I'm new to iptables advanced networking on Linux (started completely since 3 days ago), please also let me know if there is any more information that needs to be provided. Cheers |
All times are GMT -5. The time now is 02:21 AM. |