Skip to content

Instantly share code, notes, and snippets.

@Kyshman

Kyshman/tproxy_firewalld.md

Last active January 20, 2025 08:31
Show Gist options
  • Save Kyshman/c6351fc007599b2888081eb16d0c06b8 to your computer and use it in GitHub Desktop.
Save Kyshman/c6351fc007599b2888081eb16d0c06b8 to your computer and use it in GitHub Desktop.
Download ZIP
transparent-proxy-with-haproxy-using-firewalld
Raw
tproxy_firewalld.md

https://www.haproxy.com/blog/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/

https://www.zenetys.com/en/transparent-proxy-with-haproxy-using-firewalld/

sudo firewall-cmd --permanent --direct --add-chain ipv4 mangle DIVERT

sudo firewall-cmd --permanent --direct --add-rule ipv4 mangle PREROUTING 0 -p tcp -m socket -j DIVERT

sudo firewall-cmd --permanent --direct --add-rule ipv4 mangle DIVERT 0 -j MARK --set-mark 1

sudo firewall-cmd --permanent --direct --add-rule ipv4 mangle DIVERT 1 -j ACCEPT

sudo cat /etc/firewalld/direct.xml                                                                                                                                           
<?xml version="1.0" encoding="utf-8"?>                                                                                                                                                         
<direct>                                                                                                                                                                                       
  <chain ipv="ipv4" table="mangle" chain="DIVERT"/>                                                                                                                                            
  <rule ipv="ipv4" table="nat" chain="POSTROUTING" priority="0">-o eno1 -j MASQUERADE</rule>                                                                                                   
  <rule ipv="ipv4" table="nat" chain="POSTROUTING" priority="0">-o eno2 -j MASQUERADE</rule>                                                                                                   
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-i virbr0 -o eno1 -j ACCEPT</rule>                                                                                              
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-i virbr0 -o eno2 -j ACCEPT</rule>                                                                                              
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-i eno1 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-i eno2 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT</rule>
  <rule ipv="ipv4" table="mangle" chain="PREROUTING" priority="0">-p tcp -m socket -j DIVERT</rule>
  <rule ipv="ipv4" table="mangle" chain="DIVERT" priority="0">-j MARK --set-mark 1</rule>
  <rule ipv="ipv4" table="mangle" chain="DIVERT" priority="1">-j ACCEPT</rule>
</direct>

sudo firewall-cmd --runtime-to-permanent

sudo firewall-cmd --reload

sudo ip route add local 0.0.0.0/0 dev lo table 100

sudo ip rule add fwmark 1 lookup 100

sudo service iptables save

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment