Preserving TCP client source IP

My pod is relying on the source IP of a TCP(not HTTP) connection. When I use ingress and istio-proxy for this connection, the pod sees the source IP as 127.0.0.1. I am using TPROXY interception mode (using the pod sidecar annotation). Is it possible to preserve the source IP of the TCP client for this connection?

I got the TCP client source IP in the pod container with the following steps:

Edit “istio” configmap and add “interceptionMode: TPROXY” under defaultConfig.
Add “sidecar.istio.io/interceptionMode: TPROXY” to pod spec
Delete ISTIO_TPROXY rule on the sidecar proxy
-A ISTIO_TPROXY ! -d 127.0.0.1/32 -p tcp -j TPROXY --on-port 15001 --on-ip 0.0.0.0 --tproxy-mark 0x539/0xffffffff
Add PREROUTING rule on for the application service (to avoid the Kubernetes nat)

If there is a better/elegant way to achieve this please let me know.

1 Like

The above workaround isn’t a proper one as it has bypassed the Istio for this specific service. So, still looking for a solution with Istio ingress and proxy that redirects the source IP to application container.