Pages

Monday, 2 September 2019

transocks-wong

A redsocks-like transparent IPv4/IPv6 TCP-to-SOCKS5 redirector (for Linux desktop os only)。

Feature

  • IPv4 and IPv6 support, IPv6 works in dual stack mode
  • SOCKS5 works in noauth mode
  • Buffer copy via bufferevent provided by libevent
  • Zero copy via splice() syscall provided by modern Linux kernel

Prerequisite

netfilter_conntrack, iptables NAT/REDIRECT, modern Linux kernel with IPv6 support

Usage

Run transocks-wong -h to check help text. You can send SIGHUP to dump all connection we are handling, and send SIGUSR1 to close all connection manually, it's equivalent to restart the program.
As usual, send SIGTERM or SIGINT to terminate.
examples:
transocks-wong --listener-addr-port=[::]:8123 --socks5-addr-port=[::1]:1081 --pump-method=splicepump
transocks-wong --listener-addr-port=0.0.0.0:8123 --socks5-addr-port=127.0.0.1:1081

Other Tips

DNSMasq can be used to add resolved ip address to the appropriate IPset.
# /etc/dnsmasq.conf
ipset=//setmefree,setmefree6
Use two IPset, one for IPv4, the other one for IPv6, to enable us to redirect IPv4/IPv6 traffic simultaneously based on the matching result.
## /etc/firewall.user(OpenWrt)
# This file is interpreted as shell script.
# drop old one
ipset -! destroy setmefree
ipset -! destroy setmefree6
# new ipset syntax, create TCP ipset
ipset -! create setmefree hash:net family inet
ipset -! create setmefree6 hash:net family inet6
# example to add IP range
#telegram IPs
ipset -! add setmefree 91.108.56.0/23
ipset -! add setmefree 91.108.56.0/22
ipset -! add setmefree 91.108.4.0/22
ipset -! add setmefree 149.154.172.0/22
ipset -! add setmefree 149.154.168.0/22
ipset -! add setmefree 149.154.164.0/22
ipset -! add setmefree 109.239.140.0/24

ipset -! add setmefree6 2001:b28:f23f::/48
ipset -! add setmefree6 2001:b28:f23d::/48
ipset -! add setmefree6 2001:67c:4e8::/48
# TCP redirect to TCP transparent proxy listening port
iptables -t nat -I PREROUTING -p tcp -m set --match-set setmefree dst -j REDIRECT --to-port 8123
# requires ip6tables nat module
ip6tables -t nat -I PREROUTING -p tcp -m set --match-set setmefree6 dst -j REDIRECT --to-port 8123

Credit to

from https://github.com/wongsyrone/transocks-wong
------------------------------------------------------------

TranSocks - Transparent SOCKSifying Proxy

SourceForge Logo

Introduction

What: TranSocks is a transparent proxy that relays traffic through a SOCKS proxy.

Why: If your want to transparently route network traffic through a SOCKS server, then TranSocks is for you. You might need to do this for one or more of the following reasons:

  • Your satellite service provider has performance-enhancing proxies that use SOCKS
  • Your network provider only allows SOCKS access to the Internet
  • You want to use an anonymization service such as EFF's Tor Onion Router

How: Transocks is a user-space daemon for Linux that does this, in conjunction with Linux IP Tables. You can use TranSocks to only handle traffic from the Linux machine running TranSocks, or you can run it on a Linux router that other machines on your network route through. Many TCP applications will work without modifications. TranSocks currently uses SOCKS version 4 and therefore does not support UDP.

FAQ

How is TranSocks different from tsocks or socksify?
TranSocks is a network-layer proxy that can run on a Linux router and without controlling how applications are run. In contrast, tools like tsocks and Dante's socksify are Unix applications that run applications in an environment that intercepts calls to network libraries.

Installation

We don't currently distribute binaries, so you will have to compile TranSocks yourself. The source code can be downloaded from anonymous CVS.

To compile TranSocks, you will first need a SOCKS client library such as:

Usage

Run TranSocks:
/usr/local/sbin/transocks (or wherever you installed it)
TranSocks takes two options:
-f
Normally TranSocks runs as a daemon and logs all messages to syslog. For debugging, you might want it to run in the foreground. -f tells TranSocks to run in fg and dump messages to stderr.
-p port
By default, TranSocks listens on 1211. Use this option to make it listen on some other port. Make sure to change the firewall script as well.

Transocks doesn't need to run as root unless you want it to listen on a privileged port.

You should be running Linux with IP Tables. You will need to setup firewall rules to enable the transparent proxy. The following script creates a SOCKSIFY chain for all TCP traffic destined for hosts outside the local network:

#!/bin/sh

LOCAL_NET=192.168.0.0/16

iptables -t nat -X SOCKSIFY
iptables -t nat -N SOCKSIFY
        #Exceptions
iptables -t nat -A SOCKSIFY -o lo -j RETURN
iptables -t nat -A SOCKSIFY --dst 127.0.0.1 -j RETURN
iptables -t nat -A SOCKSIFY --dst $LOCAL_NET -j RETURN
        #Avoid feedback loops
iptables -t nat -A SOCKSIFY -m owner --cmd-owner transocks -j RETURN
        #Log
iptables -t nat -A SOCKSIFY -j LOG -p tcp --syn --log-level info \
--log-prefix "SOCKSify "
	#Send to transocks
iptables -t nat -A SOCKSIFY -p tcp -j REDIRECT --to-port 1211


# Socksify traffic leaving this host:
iptables -t nat -A OUTPUT -p tcp --syn -j SOCKSIFY

# Socksify traffic routing through this host:
iptables -t nat -A PREROUTING -p tcp -s $LOCAL_NET --syn -j SOCKSIFY

Caveats

There's no support for UDP at present.

Transocks forks and creates a new process to service each connection. This is the simplest way to do it but it's not very scalable as it is limited by the maximum number of processes.

FTP will only work in passive mode. Other application protocols which similarly use reverse connections will also not work.

Transocks is best used for those apps that do not support SOCKS natively. Direct usage of SOCKS is likely to have better performance, and certainly has broader protocol support.

Future Work

(Volunteers Welcome)

  • UDP / SOCKS 5 support
  • Authentication and authorization

Contact

Please send bug reports/patches/comments to:

mefisk@gmail.com

The latest version of TranSocks is available at:

http://TranSocks.sourceforge.net/

from  http://transocks.sourceforge.net/

No comments:

Post a Comment