Preserving TCP client source IP

raj · December 4, 2019, 6:33pm

My pod is relying on the source IP of a TCP(not HTTP) connection. When I use ingress and istio-proxy for this connection, the pod sees the source IP as 127.0.0.1. I am using TPROXY interception mode (using the pod sidecar annotation). Is it possible to preserve the source IP of the TCP client for this connection?

raj · December 5, 2019, 6:10pm

I got the TCP client source IP in the pod container with the following steps:

Edit “istio” configmap and add “interceptionMode: TPROXY” under defaultConfig.
Add “sidecar.istio.io/interceptionMode: TPROXY” to pod spec
Delete ISTIO_TPROXY rule on the sidecar proxy
-A ISTIO_TPROXY ! -d 127.0.0.1/32 -p tcp -j TPROXY --on-port 15001 --on-ip 0.0.0.0 --tproxy-mark 0x539/0xffffffff
Add PREROUTING rule on for the application service (to avoid the Kubernetes nat)

If there is a better/elegant way to achieve this please let me know.

raj · December 7, 2019, 12:04pm

The above workaround isn’t a proper one as it has bypassed the Istio for this specific service. So, still looking for a solution with Istio ingress and proxy that redirects the source IP to application container.

Steve_Vaughan · August 13, 2020, 3:06pm

I’m running into the same scenario, although in my case the proxy fails entirely. I need a TCP (not HTTP) connection which provides the source IP, which is used by the server to identify the calling client. I’ve tried adding the annotation sidecar.istio.io/interceptionMode: TPROXY, but the end result is that clients are no longer able to connect at all. I can see that the interception mode annotation is recognized, as the init-container arguments include -m REDIRECT.

$ istioctl version
client version: 1.6.8
control plane version: 1.6.8
data plane version: 1.6.8 (8 proxies)

raj · August 13, 2020, 3:57pm

I wasn’t able to get it working and then the orginal_src listener filter solution wasn’t available to me. Could you please check whether the solution provided in https://github.com/istio/istio/issues/5679 and the subsequent PR https://github.com/istio/istio/pull/23275 work for you?

robinbraemer · August 13, 2020, 6:21pm

I have the same problem and am trying to find a solution to get the source tcp ip for months now. :C

Just tested it with sidecar.istio.io/interceptionMode: TPROXY annotation and the EnvoyFilter specified in https://github.com/istio/istio/issues/5679#issuecomment-615241213 but still clients are no longer able to connect at all when using TPROXY.

My workaround until istio can do this is to bypass envoy and route directly to the application by using the traffic.sidecar.istio.io/excludeInboundPorts annotation (https://istio.io/latest/docs/reference/config/annotations/).

Topic		Replies	Views
How to preserve TCP client IP over istio ingress gateway Networking	6	829	April 18, 2023
Preserve source ip of external TCP service (proxy-protocol)	2	669	April 13, 2023
Proxy ingress traffic to a specific pod Networking	0	1202	April 21, 2022
Getting false tcp connection from withing container Networking	6	2210	July 20, 2022
How to handle downstream keep alive connections not closed when upstream closes	3	1044	May 3, 2023

Preserving TCP client source IP

Related Topics