I’m trying to setup a TCP transparent proxy with cgroups2:
iptables -t nat -A OUTPUT -p tcp -m cgroup --path test --syn -j DNAT --to-destination 10.0.0.1:10000
iptables -A INPUT -p tcp -m cgroup --path test --syn -j ACCEPT
iptables A INPUT -m cgroup --path test -j DROP
iptables -A OUTPUT -p tcp -m cgroup --path test --syn -j ACCEPT
iptables -A OUTPUT -m cgroup --path test -j DROP
Transparent proxy is up and running at 10.0.0.1:10000 (it has to be this address, not loopback).
When I try to access an external address through the proxy I get timeouts:
echo $$ >> /sys/fs/cgroup/test/cgroup.procs
sudo -u ${SUDO_USER} w3m 1.1.1.1
w3m: Can't load 1.1.1.1.
When I remove the -j DROP lines, it works.
My question is:
What kind of rule should I add to block all non-TCP traffic coming from cgroup and let free only TCP?