Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save yaoqiangpersonal/34fd5f38eb56430a637c5a2445115f1c to your computer and use it in GitHub Desktop.
Save yaoqiangpersonal/34fd5f38eb56430a637c5a2445115f1c to your computer and use it in GitHub Desktop.
NFTables TPROXY - proxy input and output
#!/usr/sbin/nft -f
# see also:
# you might need to enable some nftables kernel modules:
# modprobe nft_tproxy
# modprobe nft_socket
# modprobe nf_tproxy_ipv4
# modprobe nf_tproxy_ipv6
# you will also have to configure a loopback route if you want to proxy 'output' traffic:
# echo "200 proxy_loopback" > /etc/iproute2/rt_tables.d/proxy.conf
# these need to be configured persistend (maybe use an interface up-hook)
# ip rule add fwmark 200 table proxy_loopback
# ip -6 rule add fwmark 200 table proxy_loopback
# ip route add local dev lo table proxy_loopback
# ip -6 route add local ::/0 dev lo table proxy_loopback
# can be checked using:
# ip rule list
# ip -6 rule list
# ip -d route show table all
# you might need to set a sysctl:
# sysctl -w net.ipv4.conf.all.route_localnet=1
# you might want to block on non loopback interfaces if you enable it:
# see below: 'prerouting_raw' & 'postrouting_mangle'
# modify variables as needed
define MARK_PROXY = 200;
define MARK_DONE = 201;
define EXCLUDES_PROXY_V4 = {,,, };
define EXCLUDES_LOOP_V4 = { };
define EXCLUDES_PROXY_V6 = { ::1 };
define EXCLUDES_LOOP_V6 = { :: };
define PROXY_PORT = 3129;
define PROXY_UID = 13;
delete table inet proxy
table inet proxy {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
meta l4proto tcp socket transparent 1 meta mark set $MARK_PROXY comment "Redirect proxy sessions to proxy"
# meta mark $MARK_PROXY log prefix "PRE MARK PROXY"
# meta mark $MARK_DONE log prefix "PRE MARK DONE"
meta l4proto tcp jump proxy_redirect
meta mark $MARK_DONE ct mark set meta mark comment "Store mark in connection"
chain proxy_redirect {
ip daddr $EXCLUDES_PROXY_V4 return
ip6 daddr $EXCLUDES_PROXY_V6 return
ip protocol tcp meta mark $MARK_DONE return comment "Exclude proxied traffic - anti-loop"
meta protocol ip meta l4proto tcp tproxy ip to$PROXY_PORT
meta protocol ip6 meta l4proto tcp tproxy ip6 to [::1]:$PROXY_PORT
chain output {
type route hook output priority mangle; policy accept;
ct mark $MARK_DONE meta mark set ct mark comment "Load mark from connection"
# meta mark $MARK_PROXY log prefix "OUT MARK PROXY"
# meta mark $MARK_DONE log prefix "OUT MARK DONE"
meta l4proto tcp jump output_loop
meta mark $MARK_DONE meta mark set 0 comment "Remove unnecessary mark"
chain output_loop {
ip daddr $EXCLUDES_PROXY_V4 return
ip6 daddr $EXCLUDES_PROXY_V6 return
ip daddr $EXCLUDES_LOOP_V4 return
ip6 daddr $EXCLUDES_LOOP_V6 return
meta skuid $PROXY_UID return comment "Exclude Traffic from proxy itself - anti-loop"
meta l4proto tcp meta mark $MARK_DONE return comment "Exclude proxied traffic - anti-loop"
meta l4proto tcp meta mark set $MARK_PROXY
chain prerouting_raw {
type filter hook prerouting priority raw; policy accept;
iifname != "lo" ip daddr drop comment "Security fix for 'route_localnet'"
chain postrouting_mangle {
type filter hook postrouting priority mangle; policy accept;
oifname != "lo" ip saddr drop comment "Security fix for 'route_localnet'"
chain input {
type filter hook input priority 0; policy accept;
chain forward {
type filter hook forward priority 0; policy accept;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment