TProxy: extending docs

[NiceRath]

Greetings!

First: Thank you for developing such a powerful and useful tool! I wish I've found it days ago..

Related to Transparent Proxy docs.

I think the documentation on how to prevent (TPRoxy) loops could be improved!

In my case I tested a setup like this: iptables =TCP=> 127.0.0.1:4128 (gost-tproxy) =HTTP[TCP]=> 127.0.0.1:3128 (squid)

This is an edge-case, but the docs could be extended to mention 'owner' exclusions:

GOST_UID=1001
SQUID_UID=13
iptables -t mangle -A GOST_LOCAL -m owner --uid-owner "$GOST_UID" -j RETURN
iptables -t mangle -A GOST_LOCAL -m owner --uid-owner "$SQUID_UID" -j RETURN

These rules can make loop-catching easier!

It might also be necessary to store the mark inside the connection to transfer it between prerouting and output chain:

iptables -t mangle -A PREROUTING -m mark --mark "$MARK_DONE" -j CONNMARK --save-mark
...
iptables -t mangle -I OUTPUT -m connmark --mark "$MARK_DONE" -j CONNMARK --restore-mark

Also - gost can be run as non-root user when setting the CAP_NET_RAW capability on the executable:

sudo setcap cap_net_raw+ep /usr/local/bin/gost
sudo chown root:gost /usr/local/bin/gost
chmod 750 /usr/local/bin/gost

[NiceRath]

Just a notes for others - my full ruleset that works: TProxy IPTables

[NiceRath]

Also - here's the same config translated to NFTables: TProxy NFTables