Redirect & TProxy — mihomo

mihomo offers two ways to declare Linux transparent-proxy inbounds: the top-level shortcut keys (redir-port and tproxy-port), or the unified listeners: form (type: redir, type: tproxy).

Top-level shortcuts

Set on the root document; the simplest form:

redir-port: 7892      # TCP only (iptables REDIRECT mode)
tproxy-port: 7893     # TCP + UDP (iptables/nftables TPROXY mode)

Both are documented in detail on the Basics page.

Listener form

For multiple instances or more control, declare under listeners::

type: redir

listeners:
  - name: redir-in
    type: redir
    listen: 127.0.0.1
    port: 7892

RedirOption carries only the inherited BaseOption (listen, port, name).

type: tproxy

Field	Type	Default	Allowed values	Description
udp	bool	false	true | false	Listen for UDP packets too. TPROXY is the only way to do transparent UDP proxying on Linux.

Source: listener/inbound/tproxy.go:13-16 · pinned at v1.19.27 (5184081)

listeners:
  - name: tproxy-in
    type: tproxy
    listen: 0.0.0.0
    port: 7893
    udp: true

iptables setup

REDIRECT (TCP only):

iptables -t nat -N MIHOMO
iptables -t nat -A MIHOMO -d 192.168.0.0/16 -j RETURN
iptables -t nat -A MIHOMO -d 10.0.0.0/8 -j RETURN
iptables -t nat -A MIHOMO -p tcp -j REDIRECT --to-ports 7892
iptables -t nat -A OUTPUT -p tcp -j MIHOMO

TPROXY (TCP + UDP):

iptables -t mangle -N MIHOMO
iptables -t mangle -A MIHOMO -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A MIHOMO -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A MIHOMO -p tcp -j TPROXY --on-port 7893 --tproxy-mark 0x1
iptables -t mangle -A MIHOMO -p udp -j TPROXY --on-port 7893 --tproxy-mark 0x1
iptables -t mangle -A PREROUTING -j MIHOMO

ip rule add fwmark 0x1 table 100
ip route add local 0.0.0.0/0 dev lo table 100

For a clean, mihomo-managed iptables setup, prefer the top-level iptables: block — mihomo installs and tears down the rules itself.

Notes

• The top-level shortcut (tproxy-port) and the listener form (type: tproxy) can coexist. Use the listener form when you need multiple bind addresses or to mix transparent-proxy and other inbound types on the same daemon.
• redir-port and the type: redir listener are TCP only. For transparent UDP, use tproxy-port or type: tproxy with udp: true.
• mihomo's iptables: block (see iptables) automates the rule setup for the standard pattern — set iptables.enable: true and mihomo manages the rules itself.
• TPROXY is Linux-only. On macOS/Windows use TUN instead.

Cross-core notes

• Xray-core uses the Dokodemo-door inbound with streamSettings.sockopt.tproxy for both modes. See Redirect/TProxy — Xray-core.
• sing-box ships dedicated redirect and tproxy inbound types with snake_case names and the same iptables-side requirements. See Redirect/TProxy — sing-box.

Source: listener/inbound/tproxy.go:13-16 · v1.19.27 (5184081)