Feature
- IPv4 and IPv6 support, IPv6 works in dual stack mode
- SOCKS5 works in noauth mode
- Buffer copy via bufferevent provided by libevent
- Zero copy via splice() syscall provided by modern Linux kernel
Prerequisite
netfilter_conntrack, iptables NAT/REDIRECT, modern Linux kernel with IPv6 supportUsage
Runtransocks-wong -h
to check help text. You can send SIGHUP
to dump all connection we are handling,
and send SIGUSR1
to close all connection manually, it's equivalent to restart the program.As usual, send
SIGTERM
or SIGINT
to terminate.examples:
transocks-wong --listener-addr-port=[::]:8123 --socks5-addr-port=[::1]:1081 --pump-method=splicepump
transocks-wong --listener-addr-port=0.0.0.0:8123 --socks5-addr-port=127.0.0.1:1081
Other Tips
DNSMasq can be used to add resolved ip address to the appropriate IPset.# /etc/dnsmasq.conf
ipset=//setmefree,setmefree6
Use two IPset, one for IPv4, the other one for IPv6, to enable us to
redirect IPv4/IPv6 traffic simultaneously based on the matching result.## /etc/firewall.user(OpenWrt)
# This file is interpreted as shell script.
# drop old one
ipset -! destroy setmefree
ipset -! destroy setmefree6
# new ipset syntax, create TCP ipset
ipset -! create setmefree hash:net family inet
ipset -! create setmefree6 hash:net family inet6
# example to add IP range
#telegram IPs
ipset -! add setmefree 91.108.56.0/23
ipset -! add setmefree 91.108.56.0/22
ipset -! add setmefree 91.108.4.0/22
ipset -! add setmefree 149.154.172.0/22
ipset -! add setmefree 149.154.168.0/22
ipset -! add setmefree 149.154.164.0/22
ipset -! add setmefree 109.239.140.0/24
ipset -! add setmefree6 2001:b28:f23f::/48
ipset -! add setmefree6 2001:b28:f23d::/48
ipset -! add setmefree6 2001:67c:4e8::/48
# TCP redirect to TCP transparent proxy listening port
iptables -t nat -I PREROUTING -p tcp -m set --match-set setmefree dst -j REDIRECT --to-port 8123
# requires ip6tables nat module
ip6tables -t nat -I PREROUTING -p tcp -m set --match-set setmefree6 dst -j REDIRECT --to-port 8123
Credit to
from https://github.com/wongsyrone/transocks-wongTranSocks - Transparent SOCKSifying Proxy
IntroductionWhat: TranSocks is a transparent proxy that relays traffic through a SOCKS proxy. Why: If your want to transparently route network traffic through a SOCKS server, then TranSocks is for you. You might need to do this for one or more of the following reasons:
How: Transocks is a user-space daemon for Linux that does this, in conjunction with Linux IP Tables. You can use TranSocks to only handle traffic from the Linux machine running TranSocks, or you can run it on a Linux router that other machines on your network route through. Many TCP applications will work without modifications. TranSocks currently uses SOCKS version 4 and therefore does not support UDP. FAQ
InstallationWe don't currently distribute binaries, so you will have to compile TranSocks yourself. The source code can be downloaded from anonymous CVS. To compile TranSocks, you will first need a SOCKS client library such as: UsageRun TranSocks:/usr/local/sbin/transocks (or wherever you installed it)TranSocks takes two options:
Transocks doesn't need to run as root unless you want it to listen on a privileged port. You should be running Linux with IP Tables. You will need to setup firewall rules to enable the transparent proxy. The following script creates a SOCKSIFY chain for all TCP traffic destined for hosts outside the local network: #!/bin/sh LOCAL_NET=192.168.0.0/16 iptables -t nat -X SOCKSIFY iptables -t nat -N SOCKSIFY #Exceptions iptables -t nat -A SOCKSIFY -o lo -j RETURN iptables -t nat -A SOCKSIFY --dst 127.0.0.1 -j RETURN iptables -t nat -A SOCKSIFY --dst $LOCAL_NET -j RETURN #Avoid feedback loops iptables -t nat -A SOCKSIFY -m owner --cmd-owner transocks -j RETURN #Log iptables -t nat -A SOCKSIFY -j LOG -p tcp --syn --log-level info \ --log-prefix "SOCKSify " #Send to transocks iptables -t nat -A SOCKSIFY -p tcp -j REDIRECT --to-port 1211 # Socksify traffic leaving this host: iptables -t nat -A OUTPUT -p tcp --syn -j SOCKSIFY # Socksify traffic routing through this host: iptables -t nat -A PREROUTING -p tcp -s $LOCAL_NET --syn -j SOCKSIFY CaveatsThere's no support for UDP at present. Transocks forks and creates a new process to service each connection. This is the simplest way to do it but it's not very scalable as it is limited by the maximum number of processes. FTP will only work in passive mode. Other application protocols which similarly use reverse connections will also not work. Transocks is best used for those apps that do not support SOCKS natively. Direct usage of SOCKS is likely to have better performance, and certainly has broader protocol support. Future Work(Volunteers Welcome) ContactPlease send bug reports/patches/comments to: mefisk@gmail.com The latest version of TranSocks is available at: http://TranSocks.sourceforge.net/ from http://transocks.sourceforge.net/ |
No comments:
Post a Comment