Redirect & TProxy — Xray-core

Xray does not have dedicated redirect or tproxy inbound types. Both modes are implemented through the Dokodemo-door inbound combined with streamSettings.sockopt.

REDIRECT (Linux iptables NAT)

Use a Dokodemo inbound with followRedirect: true:

{
  "inbounds": [{
    "tag": "redir-in",
    "listen": "127.0.0.1",
    "port": 12345,
    "protocol": "dokodemo-door",
    "settings": {
      "network": "tcp",
      "followRedirect": true
    }
  }]
}

Then install the iptables REDIRECT rules:

iptables -t nat -N XRAY
iptables -t nat -A XRAY -d 192.168.0.0/16 -j RETURN
iptables -t nat -A XRAY -d 10.0.0.0/8 -j RETURN
iptables -t nat -A XRAY -d 172.16.0.0/12 -j RETURN
iptables -t nat -A XRAY -d 127.0.0.0/8 -j RETURN
iptables -t nat -A XRAY -p tcp -j REDIRECT --to-ports 12345
iptables -t nat -A OUTPUT -p tcp -j XRAY

REDIRECT is TCP-only. UDP transparent proxy needs TPROXY.

TPROXY (Linux iptables mangle)

{
  "inbounds": [{
    "tag": "tproxy-in",
    "listen": "0.0.0.0",
    "port": 12345,
    "protocol": "dokodemo-door",
    "settings": {
      "network": "tcp,udp",
      "followRedirect": true
    },
    "streamSettings": {
      "sockopt": {
        "tproxy": "tproxy",
        "mark": 255
      }
    }
  }]
}

The matching iptables ruleset (TCP + UDP, with mark-based bypass):

# Custom chain for outgoing traffic
iptables -t mangle -N XRAY
iptables -t mangle -A XRAY -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A XRAY -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A XRAY -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A XRAY -m mark --mark 255 -j RETURN
iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 0x1
iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 0x1
iptables -t mangle -A PREROUTING -j XRAY

# Routing rule for the marked packets
ip rule add fwmark 0x1 table 100
ip route add local 0.0.0.0/0 dev lo table 100

The mark: 255 in sockopt is applied to Xray's own outgoing sockets — the -m mark --mark 255 -j RETURN rule prevents Xray's own egress from re-entering the TPROXY pipeline (loopback prevention).

Notes

• followRedirect: true is required for both modes — it makes Xray read the original pre-NAT destination from the socket (SO_ORIGINAL_DST for REDIRECT, IP_RECVORIGDSTADDR for TPROXY).
• TPROXY requires CAP_NET_ADMIN (run as root or with the capability).
• The sockopt.tproxy value can be "redirect" (same as REDIRECT mode), "tproxy", or "off".
• For full transparent-proxy guidance on Linux, the Xray docs maintain a script template — search "xray transparent proxy".

Cross-core notes

• sing-box ships dedicated redirect and tproxy inbound types with the same kernel-side requirements. See Redirect/TProxy — sing-box.
• mihomo has both top-level shortcuts (redir-port and tproxy-port — see mihomo Basics) and listeners: entries (type: redir, type: tproxy). See Redirect/TProxy — mihomo.