IPTables TPROXY - proxy input and output

iptables_tproxy_example.sh

#!/bin/bash

# target: squid-openssl 4.13 with listener "http_port 127.0.0.1:3129 tproxy"

# see also:
#   https://docs.kernel.org/networking/tproxy.html
#   https://blog.cloudflare.com/mmproxy-creative-way-of-preserving-client-ips-in-spectrum/
#   https://latest.gost.run/en/tutorials/redirect/#forwarding-chain_1

# you might need to enable some iptables/nftables kernel modules:
#   https://docs.kernel.org/networking/tproxy.html#iptables-and-nf-tables-extensions

# you will also have to configure a loopback route if you want to proxy 'output' traffic:
#  echo "200 proxy_loopback" > /etc/iproute2/rt_tables.d/proxy.conf
# these need to be configured persistend (maybe use an interface up-hook)
#  ip rule add fwmark 200 table proxy_loopback
#  ip -6 rule add fwmark 200 table proxy_loopback
#  ip route add local 0.0.0.0/0 dev lo table proxy_loopback
#  ip -6 route add local ::/0 dev lo table proxy_loopback
# can be checked using:
#  ip rule list
#  ip -6 rule list
#  ip -d route show table all

# you might need to set a sysctl:
#   sysctl -w net.ipv4.conf.all.route_localnet=1
# you might want to block 127.0.0.1 on non loopback interfaces if you enable it:
#   iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
#   iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP

MARK_PROXY=200
MARK_DONE=201
PROXY_UID=13
PROXY_PORT=3129
EXCLUDE_NETS=(127.0.0.0/8 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12)

iptables -t mangle -N PROXY_SESSION
iptables -t mangle -A PROXY_SESSION -j MARK --set-mark "$MARK_PROXY"
iptables -t mangle -A PROXY_SESSION -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j PROXY_SESSION
# iptables -t mangle -A PREROUTING -m mark --mark $MARK_PROXY -j LOG --log-prefix "PRE MARK PROXY"
# iptables -t mangle -A PREROUTING -m mark --mark $MARK_DONE -j LOG --log-prefix "PRE MARK DONE"

iptables -t mangle -N PROXY_REDIRECT
iptables -t mangle -A PROXY_REDIRECT -p tcp -m mark --mark "$MARK_DONE" -j RETURN 
for net in "${EXCLUDE_NETS[@]}"
do
  iptables -t mangle -A PROXY_REDIRECT -p tcp -d "$net" -j RETURN
done
iptables -t mangle -A PROXY_REDIRECT -p tcp -j TPROXY --tproxy-mark "$MARK_PROXY/$MARK_PROXY" --on-ip 127.0.0.1 --on-port "$PROXY_PORT" 
iptables -t mangle -A PREROUTING -p tcp -j PROXY_REDIRECT
iptables -t mangle -A PREROUTING -m mark --mark "$MARK_DONE" -j CONNMARK --save-mark

iptables -t mangle -N OUTPUT_LOOP
iptables -t mangle -A OUTPUT_LOOP -m owner --uid-owner "$PROXY_UID" -j RETURN
iptables -t mangle -A OUTPUT_LOOP -m owner --uid-owner "$PROXY2_UID" -j RETURN
iptables -t mangle -A OUTPUT_LOOP -p tcp -m mark --mark "$MARK_DONE" -j RETURN 
for net in "${EXCLUDE_NETS[@]}"
do
  iptables -t mangle -A OUTPUT_LOOP -p tcp -d "$net" -j RETURN
done
iptables -t mangle -A OUTPUT_LOOP -p tcp -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A OUTPUT_LOOP -p tcp -j MARK --set-mark "$MARK_PROXY"

iptables -t mangle -A OUTPUT -m connmark --mark "$MARK_DONE" -j CONNMARK --restore-mark
# iptables -t mangle -A OUTPUT -m mark --mark $MARK_PROXY -j LOG --log-prefix "OUT MARK PROXY"
# iptables -t mangle -A OUTPUT -m mark --mark $MARK_DONE -j LOG --log-prefix "OUT MARK DONE"
iptables -t mangle -A OUTPUT -p tcp -j OUTPUT_LOOP
iptables -t mangle -A OUTPUT -m mark --mark "$MARK_DONE" -j MARK --set-mark 0

For NFTables see: https://gist.github.com/NiceRath/900f115f216c942283584c41baeb209f