Why does OUTPUT-marked traffic hit PREROUTING again？

Asked 7 months ago

Viewed 90 times

I'm implementing TPROXY with the following rules:

ip rule add fwmark 1 table 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -N pre_tproxy iptables -t mangle -A pre_tproxy -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 iptables -t mangle -A PREROUTING -j pre_tproxy iptables -t mangle -N rerouting iptables -t mangle -A rerouting -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -p tcp -j rerouting

Question 1: When TCP traffic from OUTPUT chain gets marked (mark=1) and enters lo via policy routing, why does it trigger PREROUTING again and reach TPROXY's port 12345?

Question 2: For packets entering PREROUTING and getting --tproxy-mark 1, won't they be policy-routed back to lo, then hit PREROUTING again, creating an infinite loop?

edited Mar 31 at 6:31

asked Mar 31 at 6:22

G.yang

101

Add a comment |

0 You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

Stack Exchange Network

Why does OUTPUT-marked traffic hit PREROUTING again？

0

You must log in to answer this question.

Hot Network Questions

Why does OUTPUT-marked traffic hit PREROUTING again？

0

You must log in to answer this question.

Related

Hot Network Questions