Add blacklist or whitelist for socks5 proxy domains

[nxtreaming]

Is your feature request related to a problem? Please describe. Some domains would be blocked due to restriction. if the domain is proxied, it will fail to response or timeout. it will use out the connection pools.

Describe the solution you'd like add a domain filter to skip or block some domains in socks5 server. --blocked-domains blocked_domains.txt -- skipped-domains skipped_domains.txt

Describe alternatives you've considered Not found.

[erebe]

Hello,

You can use --restrict-config flag to pass a config file to restrict the tunnels to use https://github.com/erebe/wstunnel/blob/main/restrictions.yaml

In your case doing a match on TCP/UDP (as it is what the server is going receive for socks5) that match or forbid the host you want should work.

[nxtreaming]

1) it seems that the "restrictions.yaml" is a whitelist, how to turn it to a blacklist( block specified domains and allow others)? 2) if my blacked domains is huge(eg. 20000+ domains), is it a proper implementation by using restrictions.yaml? I try to use HashSet to store the domains list file in my local development.

thanks.

[siepkes]

Thinking out loud here; Perhaps you could put a tool behind wstunnel (which has more extensive filtering capabilities) such as Squid Proxy? So wstunnel client --> wstunnel server --> Squid proxy --> target?

[nxtreaming]

Thank for your idea. but squid is not accepted because it does not support UDP.

I will try other filter services.

[erebe]

Hello,

You can use negative match with regex (with https://stackoverflow.com/questions/406230/regular-expression-to-match-a-line-that-doesnt-contain-a-word negative lookahead) to forbid some hosts.

But I agree, if you have thousands of them it is not really practical. In this scenario, I would just blacklist them at DNS lvl. Start wstunnel (inside a docker container) and modify your host file to point to 0.0.0.0 it will forbid the acess to those host as their dns will not resolve/will be blackholed https://www.techrepublic.com/article/get-know-linux-hosts-file/

[nxtreaming]

It's a good idea to make the blocked hosts point to 0.0.0.0.

I have a small question: how wstunnel to perform DNS when I use it as a socks5 proxy server or a reverse socks5 tunnel?

In socks5 code: @ socks5.rs let mut cfg = Config::::default(); cfg.set_allow_no_auth(true); cfg.set_dns_resolve(false); cfg.set_execute_command(false); cfg.set_udp_support(true);

there is " cfg.set_dns_resolve(false)" here, if the socks5 server does not resolve DNS, who does?

Thanks.

[erebe]

it is resolved on wstunnel server, the wstunnel client only forward the information to the server that it wants to connect to this host, and it is the server that does the résolution for the requested host.

[nxtreaming]

is it resolved on wstunnel client if wstunnel works in reverse tunnel mode?

[erebe]

yes indeed :+1:

[nxtreaming]

I will use the host file in DNS level to block some domains. it's a better solution than I modify the wstunnel implementation.

Thanks.