DEV Community

Mark Nefedov
Mark Nefedov

Posted on

Nginx TCP transparent proxy

So we have a setup like this:

Nginx and upstream configuration

Set gateways to local and external networks:



network:
  ethernets:
    ens3:
      addresses:
        - 192.168.229.10/24
      gateway4: 192.168.229.15 # NGINX transparent proxy
      nameservers:
        addresses:
        - 192.168.222.8
        - 192.168.222.2
      routes:
        - to: 192.168.222.0/24
          via: 192.168.229.254 # Known gateway to internal network
  version: 2


Enter fullscreen mode Exit fullscreen mode

Create a policy where all packets marked with 1 will be routed to loopback interface for nginx processing.

ip rule add fwmark 1 lookup 100

Firewall marks are a feature of the Linux kernel's networking stack that allow you to "mark" packets with a certain value, which can then be used for making routing decisions. This can be useful for complex network setups where you need to route traffic differently based on criteria other than the destination IP.

In this case, the rule is saying that any packets with a firewall mark of 1 (which would have been set by a previous step, perhaps an iptables rule) should use routing table 100.

ip route add local 0.0.0.0/0 dev lo table 100

This command adds a route to table 100 that sends all traffic (0.0.0.0/0 represents all IP addresses) to the loopback interface (lo).

The local keyword is used to indicate that these packets are to be treated as local and not to be forwarded. This is typically used when the system itself will be processing the packets, rather than forwarding them on to another network.

So this rule is saying that any traffic which gets directed to table 100 (such as by the previous ip rule command) should be sent to the local loopback interface.

firewall-cmd --permanent --direct --add-rule ipv4 mangle PREROUTING 0 -p tcp -s 192.168.229.10/31 --sport 3232 -j MARK --set-xmark 0x1/0xffffffff

This command adds a permanent direct rule to the firewalld configuration, which marks TCP packets with a source IP address in the range 192.168.229.10/31 and a source port of 3232 in the PREROUTING chain of the mangle table. The mark value is set to 0x1 with a mask of 0xffffffff.

Add directives nginx configuration:



server {
    listen 3232;
    proxy_bind $remote_addr transparent;
    proxy_pass sftp1;
}


Enter fullscreen mode Exit fullscreen mode

Enable NGINX transparent proxy handling.

TLDR

  • Change gateway address to NGINX to send all responses to spoofed packets back to NGINX.
  • Configure iptables/nftables to mark incoming traffic from upstream.
  • Create a rule and a routing table to send marked traffic local processing for nginx to pick it up.

Top comments (0)