Preserving TCP client source IP

My pod is relying on the source IP of a TCP(not HTTP) connection. When I use ingress and istio-proxy for this connection, the pod sees the source IP as 127.0.0.1. I am using TPROXY interception mode (using the pod sidecar annotation). Is it possible to preserve the source IP of the TCP client for this connection?

I got the TCP client source IP in the pod container with the following steps:

Edit “istio” configmap and add “interceptionMode: TPROXY” under defaultConfig.
Add “sidecar.istio.io/interceptionMode: TPROXY” to pod spec
Delete ISTIO_TPROXY rule on the sidecar proxy
-A ISTIO_TPROXY ! -d 127.0.0.1/32 -p tcp -j TPROXY --on-port 15001 --on-ip 0.0.0.0 --tproxy-mark 0x539/0xffffffff
Add PREROUTING rule on for the application service (to avoid the Kubernetes nat)

If there is a better/elegant way to achieve this please let me know.

1 Like

The above workaround isn’t a proper one as it has bypassed the Istio for this specific service. So, still looking for a solution with Istio ingress and proxy that redirects the source IP to application container.

1 Like

I’m running into the same scenario, although in my case the proxy fails entirely. I need a TCP (not HTTP) connection which provides the source IP, which is used by the server to identify the calling client. I’ve tried adding the annotation sidecar.istio.io/interceptionMode: TPROXY, but the end result is that clients are no longer able to connect at all. I can see that the interception mode annotation is recognized, as the init-container arguments include -m REDIRECT.

$ istioctl version
client version: 1.6.8
control plane version: 1.6.8
data plane version: 1.6.8 (8 proxies)

I wasn’t able to get it working and then the orginal_src listener filter solution wasn’t available to me. Could you please check whether the solution provided in https://github.com/istio/istio/issues/5679 and the subsequent PR https://github.com/istio/istio/pull/23275 work for you?

I have the same problem and am trying to find a solution to get the source tcp ip for months now. :C

Just tested it with sidecar.istio.io/interceptionMode: TPROXY annotation and the EnvoyFilter specified in https://github.com/istio/istio/issues/5679#issuecomment-615241213 but still clients are no longer able to connect at all when using TPROXY.

My workaround until istio can do this is to bypass envoy and route directly to the application by using the traffic.sidecar.istio.io/excludeInboundPorts annotation (https://istio.io/latest/docs/reference/config/annotations/).