Installing nginx 1.14 / openssl 1.1.1 on Debian 9
Debian is really nice in case a newer version (than what’s in repo) of software is need. Although nginx / openssl provided in their stable repo is somewhat old, it’sContinue reading
Did some tweaks to my VPS / website
TLS 1.3 is now enabled. However, as a side effect, now ssllabs only gives 90 pct. to cipher strength of my TLS configuration. This is unfortunate, as currently there’s (seemingly)Continue reading
Switched to Debian 9 from CentOS 7
Preparing for enabling TLS 1.3. CentOS 7 (RHEL 7) does not come with an out-of-box nginx that supports TLS 1.3. To be fair, this is not a fault of nginx.Continue reading
Transparently proxing packets whose destination matching an ipset (IPv4/6)
IPv6/UDP does not work yet, though.. Not sure if it’s an issue in the rules, xt_TPROXY.ko or the proxy software itself. Glad to embrace IPv6.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | #!/usr/bin/env bash set -e # Let's explain this. # # 1. We use a dedicated table (happen to be 123 here) inside which we treat all # IPs (including those who are generally treated as public / private IPs such # as 1.2.3.4) as loopback IP, by routing them all to the loopback device. # # 2. Then we routing all packets with a specific mark (happen to be 12345 here) # to that table. # # 3. Finally we use xt_TPROXY to mark the some of the packets (selected by iptables' # `-m set` condition) with the mark we use above (12345) so that they'll be # routed as rule above. # # 4. We also specified a IP/port as xt_TPROXY's parameters so that the process # listening on that IP/port will receive the packets and proxy them as desired. # The environment variables goes first. export PATH=/usr/local/bin:/opt/bin:/opt/sbin:$PATH # Send all packets with mark 12345 to routing table #123. ip rule add fwmark 12345 table 123 ip -6 rule add fwmark 12345 table 123 # Routing table #123 routes all packets to loopback device. ip route add local default dev lo table 123 ip -6 route add local default dev lo table 123 # For packets with `dst` matching `proxied_v4`, mark them with 12345, # and let process listening on 127.0.0.1:8765 to receive it. iptables -t mangle -A PREROUTING -p tcp -m set --match-set proxied_v4 dst -j TPROXY --on-port 8765 --on-ip 127.0.0.1 --tproxy-mark 12345 iptables -t mangle -A PREROUTING -p udp -m set --match-set proxied_v4 dst -j TPROXY --on-port 8765 --on-ip 127.0.0.1 --tproxy-mark 12345 # For packets with `dst` matching `proxied_v6`, mark them with 12345, # and let process listening on [::1]:8765 to receive it. ip6tables -t mangle -A PREROUTING -p tcp -m set --match-set proxied_v6 dst -j TPROXY --on-port 8765 --on-ip ::1 --tproxy-mark 12345 ip6tables -t mangle -A PREROUTING -p udp -m set --match-set proxied_v6 dst -j TPROXY --on-port 8765 --on-ip ::1 --tproxy-mark 12345 |
Compiling xt_TPROXY for ddwrt
It surprised me a bit that ddwrt (Kong build) is not shipped with xt_TPROXY. Fortunately it’s possible to compile kernel modules for ddwrt and load them later. The major stepsContinue reading
xt_TPROXY does not function properly under ddwrt (/linux 4.4) when used with IPv6
After digging the issue for about two days, it looks like to me that it’s caused by a bug in ipv6.ko. Unfortunately the rootfs is readonly on ddwrt, thus patchingContinue reading
Hello world!
Welcome to WordPress. This is your first post. Edit or delete it, then start writing!