Total Pageviews

Thursday 14 April 2016

linux桌面系统上的全局代理程序:hev-socks5-tproxy

A Socks5-based  transparent proxy.

A simple, lightweight socks5 transparent proxy for Linux.

status
HevSocks5Tproxy is a simple, lightweight transparent proxy for Linux.
Features
  • Redirect TCP connections.
  • Redirect DNS queries. (see server)
  • IPv4/IPv6. (dual stack)

How to Build

Linux:
git clone git://github.com/heiher/hev-socks5-tproxy
cd hev-socks5-tproxy
git submodule init
git submodule update
make
Android:
mkdir hev-socks5-tproxy
cd hev-socks5-tproxy
git clone git://github.com/heiher/hev-socks5-tproxy jni
cd jni
git submodule init
git submodule update
ndk-build

How to Use

Config

main:
  workers: 4

socks5:
  port: 1080
  address: 127.0.0.1

tcp:
  port: 1088
  listen-address: 0.0.0.0

dns:
  port: 5300
  listen-address: 0.0.0.0

#misc:
#  log-file: null # stdout, stderr or file-path
#  log-level: warn # debug, info or error
#  pid-file: /run/hev-socks5-tproxy.pid
#  limit-nofile: -1

Run

bin/hev-socks5-tproxy conf/main.yml

Redirect rules

Global mode

# IPv4
# Base rules
iptables -t nat -N HTPROXY
iptables -t nat -A HTPROXY -d 0.0.0.0/8 -j RETURN
iptables -t nat -A HTPROXY -d 127.0.0.0/8 -j RETURN
iptables -t nat -A HTPROXY -d 169.254.0.0/16 -j RETURN
iptables -t nat -A HTPROXY -d 224.0.0.0/4 -j RETURN
iptables -t nat -A HTPROXY -d 240.0.0.0/4 -j RETURN
iptables -t nat -A HTPROXY -p udp --dport 53 -j REDIRECT --to-ports 5300
iptables -t nat -A HTPROXY -p tcp -j REDIRECT --to-ports 1088

# Bypass socks5 servers
iptables -t nat -A HTPROXY -d [SOCKS5_SERVER_ADDRESS] -j RETURN

# For local host
iptables -t nat -I OUTPUT -j HTPROXY

# For other hosts (tproxy gateway)
iptables -t nat -I PREROUTING -j HTPROXY

# IPv6
# Base rules
ip6tables -t nat -N HTPROXY
ip6tables -t nat -A HTPROXY -d ::1 -j RETURN
ip6tables -t nat -A HTPROXY -p udp --dport 53 -j REDIRECT --to-ports 5300
ip6tables -t nat -A HTPROXY -p tcp -j REDIRECT --to-ports 1088

# Bypass socks5 servers
ip6tables -t nat -A HTPROXY -d [SOCKS5_SERVER_ADDRESS] -j RETURN

# For local host
ip6tables -t nat -I OUTPUT -j HTPROXY

# For other hosts (tproxy gateway)
ip6tables -t nat -I PREROUTING -j HTPROXY

Per app mode

#!/bin/bash
# /usr/local/bin/tproxy

NET_CLS_DIR="/sys/fs/cgroup/net_cls/tproxy"
NET_CLS_ID=88
TP_TCP_PORT=1088
TP_DNS_PORT=5300

if [ ! -e ${NET_CLS_DIR} ]; then
 sudo sh -c "mkdir -p ${NET_CLS_DIR}; \
  chmod 0666 ${NET_CLS_DIR}/tasks; \
  echo ${NET_CLS_ID} > ${NET_CLS_DIR}/net_cls.classid; \
  iptables -t nat -D OUTPUT -p tcp \
   -m cgroup --cgroup ${NET_CLS_ID} \
   -j REDIRECT --to-ports ${TP_TCP_PORT}; \
  iptables -t nat -D OUTPUT -p udp --dport 53 \
   -m cgroup --cgroup ${NET_CLS_ID} \
   -j REDIRECT --to-ports ${TP_DNS_PORT}; \
  ip6tables -t nat -D OUTPUT -p tcp \
   -m cgroup --cgroup ${NET_CLS_ID} \
   -j REDIRECT --to-ports ${TP_TCP_PORT}; \
  ip6tables -t nat -D OUTPUT -p udp --dport 53 \
   -m cgroup --cgroup ${NET_CLS_ID} \
   -j REDIRECT --to-ports ${TP_DNS_PORT}; \
  iptables -t nat -I OUTPUT -p tcp \
   -m cgroup --cgroup ${NET_CLS_ID} \
   -j REDIRECT --to-ports ${TP_TCP_PORT}; \
  iptables -t nat -I OUTPUT -p udp --dport 53 \
   -m cgroup --cgroup ${NET_CLS_ID} \
   -j REDIRECT --to-ports ${TP_DNS_PORT}; \
  ip6tables -t nat -I OUTPUT -p tcp \
   -m cgroup --cgroup ${NET_CLS_ID} \
   -j REDIRECT --to-ports ${TP_TCP_PORT}; \
  ip6tables -t nat -I OUTPUT -p udp --dport 53 \
   -m cgroup --cgroup ${NET_CLS_ID} \
   -j REDIRECT --to-ports ${TP_DNS_PORT};" 2>&1 2> /dev/null
fi

echo $$ > ${NET_CLS_DIR}/tasks

exec "$@"

tproxy wget URL
tproxy git clone URL

from https://github.com/heiher/hev-socks5-tproxy
------------------------------

实现了一个 tproxy 用于配合 Iptables 做全局代理,这个 dns forwarder 就是将 DNS 查询代理。 

hev-socks5-tproxy (https://github.com/heiher/hev-socks5-tproxy),这是个 Socks5 协议兼容的客户端,配合 Linux iptables 的 REDIRECT target 使用。

附录:
转发 UDP 协议的 DNS 查询至 TCP 协议传输,目前可以有效的抵御某些组织的 DNS 污染,此方案用于 Linux 平台。

下载、编译 DNS Forwarder:
git clone https://github.com/aa65535/hev-dns-forwarder
cd hev-dns-forwarder
make

运行 DNS Forwarder
bin/hev-dns-forwarder 0.0.0.0 5300 8.8.8.8
# 0.0.0.0 : 本地监听地址
# 5300 : 本地监听端口
# 8.8.8.8 : 上游 DNS 服务器

本地全局启用
用于本地主机,透明转发所有的本机 DNS 查询
sudo iptables -t nat -A OUTPUT -m udp -p udp --dport 53 -j REDIRECT --to-port 5300
或直接设置本地的 DNS 服务器为 127.0.0.1,并将 Forwarder 的本地监听端口修改为 53。

网关全局启用
用于网关服务器,透明转发所有网关服务的主机的 DNS 查询
sudo iptables -t nat -A PREROUTING -m udp -p udp --dport 53 -j REDIRECT --to-port 5300

己证实转为 TCP 传输不是完全没问题对于特定域名的查询,GFW依旧会 reset tcp connection。
这个转发器原本是打算用于经过 Socks5 代理(仅实现 CONNECT)的,在测试中通过 8.8.8.8 查询 twitter.com 可以得到正确的解析,我就误认为不会被污染。

from https://www.v2ex.com/t/137736
----

Tunnel over Socks5 proxy (tun2socks).

HevSocks5Tunnel

status
A tunnel over Socks5 proxy.
Features
  • Redirect TCP connections.
  • Redirect DNS queries. (see server)
  • IPv4/IPv6. (dual stack)

How to Build

Linux:
git clone --recursive git://github.com/heiher/hev-socks5-tunnel
cd hev-socks5-tunnel
make
Android:
mkdir hev-socks5-tunnel
cd hev-socks5-tunnel
git clone --recursive git://github.com/heiher/hev-socks5-tunnel jni
ndk-build

How to Use

Config

tunnel:
  # Interface name
  name: tun0
  # Interface MTU
  mtu: 8192
  # IPv4 address
  ipv4:
    address: 10.0.0.2
    gateway: 10.0.0.1
    prefix: 30
  # IPv6 address
  ipv6:
    address: 'fc00::2'
    gateway: 'fc00::1'
    prefix: 126
  # Domain name service
  dns:
    port: 53

socks5:
  # Socks5 server port
  port: 1080
  # Socks5 server address (ipv4/ipv6)
  address: 127.0.0.1

#misc:
   # null, stdout, stderr or file-path
#  log-file: null
   # debug, info, warn or error
#  log-level: warn
   # If present, run as a daemon with this pid file
#  pid-file: /run/hev-socks5-tunnel.pid
   # If present, set rlimit nofile; else use default value
#  limit-nofile: 1024

Run

bin/hev-socks5-tunnel conf/main.yml

# Bypass upstream socks5 server
sudo ip route add SOCKS5_SERVER dev DEFAULT_IFACE metric 10

# Route others
sudo ip route add default dev tun0 metric 20
frm https://github.com/heiher/hev-socks5-tunnel