search

darkk / redsocks

transparent TCP-to-proxy redirector
http://darkk.net.ru/redsocks
3.33k stars 862 forks source link

UDP over redsocks is not working properly #79

Closed cufirod closed 6 years ago

cufirod commented 8 years ago

Many questions regarding UDP and DNS support by redsocks appeared recently. I think that I speak for many people if I say that it is not clear how to properly configure redudp.

First of all, a list of iptables rules for the tproxy solution is crucial and unavailable at he same time. The tutorial from balabit is nice, however it might be too difficult to apply it to a situation with redsocks.

For example I have the simples possible configuration. My UDP compatible SOCKS5 server listens on localhost port 8888 and my redudp section is:

redudp {
        local_ip = 127.0.0.1;
        local_port = 10053;
        ip = 127.0.0.1;
        port = 8888;
        dest_ip = 8.8.8.8;
        dest_port = 53;
        udp_timeout = 30;
        udp_timeout_stream = 180;
}

My iptables entries are:

iptables -t nat -N REDSOCKS
iptables -t nat -A REDSOCKS -d 192.168.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
iptables -t nat -A REDSOCKS -p udp --dport 53 -j REDIRECT --to-ports 10053
iptables -t nat -A OUTPUT -m owner --uid-owner user -j REDSOCKS

And I still receive these errors whenever my browser performs a DNS lookup:

1458440135.606360 info redudp.c:546 redudp_first_pkt_from_client(...) [x.x.x.x:y->8.8.8.8:53]: got 1st packet from client
1458440135.606902 notice redudp.c:500 redudp_relay_error(...) [x.x.x.x:y->8.8.8.8:53]: redudp_relay_error
1458440135.606953 info redudp.c:217 redudp_drop_client(...) [x.x.x.x:y->8.8.8.8:53]: Dropping...

Where x.x.x.x is my public IP address and y is a random port selected by the browser.

semigodking commented 8 years ago

try my fork of redsocks, it works.

cufirod commented 8 years ago

I can confirm that your fork can handle UDP traffic without errors. And the support of shadowsocks is even more awesome.

However, I am still not able to configure TPROXY on my machine. If I run these commands

ip rule add fwmark 0x01/0x01 table 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N REDSOCKS2
iptables -t mangle -A REDSOCKS2 -p udp -j TPROXY --on-port 10053 --tproxy-mark 0x01/0x01
iptables -t mangle -A PREROUTING -j REDSOCKS2

and I setup redudp to work in the TPROXY mode (I omit dest_ip and dest_port)

redudp {
        local_ip = 127.0.0.1;
        local_port = 10053;
        ip = 127.0.0.1;
        port = 8888;
        udp_timeout = 10;
        //udp_timeout_stream = 180;
}

then I do not see any debug output from redudp. On the other hand, when I use redudp without TPROXY support, then I can clearly see in the debug output that redudp is making connections.

If somebody was able to successfully configure TPROXY for redsocks/redsocks2, could you please share the iptables rules you created? I guess that the commands ip rule and ip route are allways the same, however iptables entries can vary among configurations.

There is one more thing that concerns me. Is it not a problem, that I run redsocks and iptables on the same machine that I use for testing the connection? Somewhere I have read that TPROXY works only on routers because the PREROUTING chain does not apply to localhost traffic.

I think that it would be beneficial both for the users of redsocks as well as for the users of redsocks2 to have an example of working configuration.

semigodking commented 8 years ago

I think your ip configs are correct. For redsocks2, the redudp config section requires one more parameter: type. It's value can be 'socks5' or 'shadowsocks'. You are right, TPROXY only works for incoming packets. 2016年3月22日 下午10:39,"cufirod" notifications@github.com写道:

I can confirm that your fork can handle UDP traffic without errors. And the support of shadowsocks is even more awesome.

However, I am still not able to configure TPROXY on my machine. If I run these commands

ip rule add fwmark 0x01/0x01 table 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -N REDSOCKS2 iptables -t mangle -A REDSOCKS2 -p udp -j TPROXY --on-port 10053 --tproxy-mark 0x01/0x01 iptables -t mangle -A PREROUTING -j REDSOCKS2

and I setup redudp to work in the TPROXY mode (I omit dest_ip and dest_port)

redudp { local_ip = 127.0.0.1; local_port = 10053; ip = 127.0.0.1; port = 8888; udp_timeout = 10; //udp_timeout_stream = 180; }

then I do not see any debug output from redudp. On the other hand, when I use redudp without TPROXY support, then I can clearly see in the debug output that redudp is making connections.

If somebody was able to successfully configure TPROXY for redsocks/ redsocks2, could you please share the iptables rules you created? I guess that the commands ip rule and ip route are allways the same, however iptables entries can vary among configurations.

There is one more thing that concerns me. Is it not a problem, that I run redsocks and iptables on the same machine that I use for testing the connection? Somewhere I have read that TPROXY works only on routers because the PREROUTING chain does not apply to localhost traffic.

I think that it would be beneficial both for the users of redsocks as well as for the users of redsocks2 to have an example of working configuration.

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/darkk/redsocks/issues/79#issuecomment-199843353

cufirod commented 8 years ago

I apologize for improperly copying my redudp config section. I was deleting the comments and I accidently deleted an important line.

TPROXY can be used only on the PREROUTING chain. However if I am correct, then the command ip route add local 0.0.0.0/0 dev lo table 100, redirects each outgoing packet to the lo interface. Thus this packet is an incoming packet to the lo interface and it can be redirected to TPROXY.

Please correct me if I am wrong. This should mean that the TPROXY method can be used to send outgoing UDP traffic from a device to a proxy server via redsocks running on the same device. Is it correct?

Or am I wrong and there is some reason that TPROXY must be configured on a router?

semigodking commented 8 years ago

iproute2 is for routing manipulation. TPROXY is used for PRE routing. Think about what is a mess if locally generated packets become incoming packets. 2016年3月22日 下午11:55,"cufirod" notifications@github.com写道:

I apologize for improperly copying my redudp config section. I was deleting the comments and I accidently deleted an important line.

TPROXY can be used only on the PREROUTING chain. However if I am correct, then the command ip route add local 0.0.0.0/0 dev lo table 100, redirects each outgoing packet to the lo interface. Thus this packet is an incoming packet to the lo interface and it can be redirected to TPROXY.

Please correct me if I am wrong. This should mean that the TPROXY method can be used to send outgoing UDP traffic from a device to a proxy server via redsocks running on the same device. Is it correct?

Or am I wrong and there is some reason that TPROXY must be configured on a router?

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/darkk/redsocks/issues/79#issuecomment-199878507

darkk commented 6 years ago

Seems, that's more or less resolved.

@semigodking thanks for maintaining the fork focused on circumvention :)

1163167506 commented 3 years ago

Redsocks cannot forward the device's own UDP data, because forwarding UDP requires the use of TPROXY. But TPROXY works in the PREROUTING chain. The UDP data of this machine does not go through the PREROUTING chain. redsocks can work on the router and forward the UDP data of the lan port device, because these UDP data are connected through PREROUTING