Home / server / Questions / 1020374
Accepted
Romeo Mihalcea
Asked: 2020-06-08 04:18:02 +0800 CST

System-wide redirect traffic to local proxy server using iptables

  • 772

The code used in my example is taken from a REDSOCKS tutorial but it doesn't do the job for me. I'm trying to redirect all my tcp traffic through a local proxy server.

#!/bin/bash

CHAIN="MYCHAIN"
PROTO="tcp"

iptables -t nat -N ${CHAIN}

# Ignore LANs and some other reserved addresses.
iptables -t nat -A ${CHAIN} -d 0.0.0.0/8 -j RETURN
iptables -t nat -A ${CHAIN} -d 10.0.0.0/8 -j RETURN
iptables -t nat -A ${CHAIN} -d 127.0.0.0/8 -j RETURN
iptables -t nat -A ${CHAIN} -d 169.254.0.0/16 -j RETURN
iptables -t nat -A ${CHAIN} -d 172.16.0.0/12 -j RETURN
iptables -t nat -A ${CHAIN} -d 192.168.0.0/16 -j RETURN
iptables -t nat -A ${CHAIN} -d 224.0.0.0/4 -j RETURN
iptables -t nat -A ${CHAIN} -d 240.0.0.0/4 -j RETURN

# Anything else should be redirected to port 12345
iptables -t nat -A ${CHAIN} -p ${PROTO} -j REDIRECT --to-ports 12345
iptables -A INPUT -p ${PROTO} -j ${CHAIN}

I receive this error when executing the script: iptables v1.8.4 (legacy): Couldn't load target 'MYCHAIN':No such file or directory.

I think I'm missing a rule but I can't figure out which one.

proxy iptables

2 Answers

  1. Best Answer

    you would have to create MYCHAIN before,

    hint:

    try TPROXY target (in PREROUTING / mangle ).

    ( only valid in the mangle table, in the PREROUTING chain and user-defined chains which are only called from this chain) .

    they have a good example :

    iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50080

    from the manual:

    It redirects the packet to a local socket without changing the packet header in any way. It can also change the mark value which can then be used in advanced routing rules. It takes three options:

    • --on-port port

      This specifies a destination port to use. It is a required option, 0 means the new destination port is the same as the original. This is only valid if the rule also specifies -p tcp or -p udp.

    • --on-ip address

      This specifies a destination address to use. By default the address is the IP address of the incoming interface. This is only valid if the rule also specifies -p tcp or -p udp.

    • --tproxy-mark value[/mask]

      Marks packets with the given value/mask. The fwmark value set here can be used by advanced routing. (Required for transparent proxying to work: otherwise these packets will get forwarded, which is probably not what you want.)

    references :

    tproxy documentation

    netfilter man

    • 2

  2. You are only creating MYCHAIN in the nat table. Last command in your example is inserting rule to filter table INPUT chain, with a jump target of MYCHAIN in filter table.

    Since no such chain existsm you get the error message.

    • 0