The routing settings assume that the client set is on a different network behind a single physical interface. For the purposes of this example, we will assume that:
Client located on 172.28.56.0/24 network
Routers connect networks 172.28.56.0/24 and 192.168.1.0/24
Interface eth0 on the network 192.168.1.0/24
Interface eth1 on the network 172.28.56.0/24
The router is configured to correctly route traffic for the client.
In this example, we will intercept the port (HTTP) traffic that traverses the router. The first step is to use iptables to
Handle IP packets appropriately.
# Reflow Client Web traffic to Tproxy
Iptables-t mangle-a prerouting-i eth1-p tcp-m tcp--dport 80-j tproxy \
--on-ip 0.0.0.0--on-port 8080--tproxy-mark 1/1
# let locally directed traffic pass through.
Iptables-t mangle-a prerouting-i eth0--source 192.168.1.0/24-j ACCEPT
Iptables-t mangle-a prerouting-i eth0--destination 192.168.1.0/24-j ACCEPT
# Mark presumed return web traffic
Iptables-t mangle-a prerouting-i eth0-p tcp-m tcp--sport 80-j MARK--set-mark 1/1
We tag the packets so that we can use Policy routing on them. For inbound packets, we use Tproxy to accept packets sent to the external IP address. For a return outbound packet, there will be a socket open bound to an external address, and we just need to force it to be passed locally. The value of--ON-IP is 0 because the destination port is listening and is not bound to a specific address. The value of the--on-port must match the traffic server server port. Otherwise, its value is arbitrary. --dport and--sport Specify the port from the perspective of the client and source server. Two lines in the middle exempt local web traffic from being marked as traffic Server-these rules can be tightened or relaxed as needed. They are serviced by matching traffic and exiting iptables processing through accept before checking the last line.
Once the stream is marked, we can force them to pass through the loopback interface locally through the Policy Routing table.
IP rule Add fwmark 1/1 table 1
IP route add local 0.0.0.0/0 dev Lo table 1
The token used is arbitrary, but it must be consistent between the iptables and the routing rules.
Modify Records.config
Proxy.config.http.server_ports
STRING Default:value from--on-port
Proxy.config.reverse_proxy.enabled
INT default:1
Proxy.config.url_remap.remap_required
INT default:0
Inline on ATS Linux routers