iptables
On Linux, the iptables block opts in to mihomo managing the firewall rules that make transparent proxying (tproxy-port / redir-port) actually transparent. Outside Linux the block is ignored.
Options
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
enable | bool | false | true | false | Have mihomo install (and clean up) the iptables rules required for transparent proxying on Linux. |
inbound-interface | string | (unset) | <interface> | Restrict the transparent-proxy rules to traffic arriving on this interface (e.g. `eth0`). Empty matches all interfaces. |
bypass | []string | [] | <CIDR> | Source CIDRs to skip — traffic from these sources is not transparent-proxied. |
dns-redirect | bool | false | true | false | Hijack all outgoing DNS (UDP/53) and answer it locally. Required when running as a router; off by default for desktop use. |
Source: config/config.go:338-343 · pinned at v1.19.27 (5184081)
Example
yaml
tproxy-port: 7895
iptables:
enable: true
inbound-interface: eth0
bypass:
- 192.168.1.0/24
- 10.0.0.0/8
dns-redirect: trueNotes
- mihomo must be run as root (or with
CAP_NET_ADMIN) for iptables management to succeed. - The rules installed are documented in mihomo's source under
listener/sing_tun/— they create a custom chain and route mark. - When mihomo exits cleanly it removes its rules. A crash leaves them behind; clean up with
iptables -t mangle -F MIHOMO(and the matching NAT chain).
Source: config/config.go:338-343 · v1.19.27 (5184081)