On 2 October 2013 17:36, Marcus Furlong <furlongm@gmail.com> wrote:
Slowly coming to the same same conclusion myself, but I was hoping
this was out of date:

   http://www.faqs.org/docs/iptables/traversingoftables.html

Table 3-2. Source local host (our own machine), at Step 2 the routing
decision is taken before the OUTPUT chain of the mangle table. Grr.

Does anyone have any other ideas how I might achieve this?

Apologies for the late response.

As per the diagram:

http://inai.de/images/nf-packet-flow.png

tproxy is the solution that allow things like transparent proxies to work with UDP as well as TCP and for IPv6 as well as IPv4, without relying on NAT.

My understanding of tproxy is that it ends up with (note doing this with ipv6 appears to be broken in the standard wheezy kernel however that is another issue, if you have problems with the wheezy kernel you might want to try a latter kernel from back ports just in case):

OUTPUT(eth0) -> routing -> PREROUTING (lo)

As per the diagram, after mangle:output rule, it does a "reroute check", which is capable of "jumping" back to the prerouting stage. I think. The best explanation I have been able to come up with anyway :-)

When I asked about this before I got the response: Because it's two different interfaces (eth0 vs lo). The diagram is for an single interface.“

Trying to understand how this works completely mangles my brain. Or nats my brain. Or something. However, will try:

In the mangle:OUTPUT I have:

MARK       tcp  --  0.0.0.0/0            192.168.0.0/16       tcp MARK set 0x1
MARK       udp  --  0.0.0.0/0            192.168.0.0/16       udp MARK set 0x1

This assigns all required packets the mark. Then, as above, it must look at my routing rules:

aquitard# ip rule
0:      from all lookup local 
32764:  from all fwmark 0x1 lookup 100 
32765:  from all fwmark 0x1 lookup 100 
32766:  from all lookup main 
32767:  from all lookup default 

aquitard# ip route show table 100
local default dev lo  scope host 

Which reroutes it to lo. 

Then in mangle:PREROUTING I do the tproxy stuff. Which is probably not really relevant to your task.

All seems a bit like black magic to me.

However it does actually work.


So in conclusion, while this seems very non-obvious, have you tried marking the packets in the OUTPUT chain?


Thread where I try to understand this for the first time:

https://groups.google.com/forum/#!msg/sshuttle/5U0JFrecHks/PhUGMa1RElMJ
--
Brian May <brian@microcomaustralia.com.au>