nsproxy

nsproxy (namespace proxy) is a Linux-specific command-line tool, makes applications force to use a specific SOCKS5 or HTTP proxy.

Functionally similar to tsocks / proxychains-ng / graftcp, but using a totally different mechanism. It create a TUN device and launch applications in a fresh network_namespace, then connect the TUN device to a user-mode TCP/IP stack and redirect connections through proxy server outside the namespace. Benefiting from the namespace mechanism, it doesn't require any privilege, and will not affect other processes.

It has the following features:

• Support SOCKS5 / HTTP proxy protocols.
• Support TCP / UDP protocols.
• Built-in DNS redirection.
• Works perfectly on static linked applications.
• No privilege required.

USAGE

nsproxy [-H] [-s ] [-p ] [-d ] [-v|-q]

Examples:

Use socks5 proxy

nsproxy dig example.com A

Use http proxy

nsproxy -H curl example.com

Options: -H Use http proxy, not socks5. Note: UDP is NOT supported in http proxy. UDP packets will drop and got an ICMP port unreachable message.

-s Proxy server address. Default value is "127.0.0.1"

-p Proxy server port. Default value is "1080" for socks, "8080" for http

-d DNS redirect, allow following options: -d off Do nothings on DNS, treat as normal UDP packets. -d tcp:// Redirect DNS requests to specified TCP nameserver. -d udp:// Redirect DNS requests to specified UDP nameserver. Default value is "tcp://1.1.1.1"

-v Verbose mode. Use "-vv" or "-vvv" for more verbose.

-q Be quiet.

LIMITATIONS

All {uid,gid} except the current user will be mapped to "/proc/sys/kernel/overflow{uid,gid}". That means file owners except the current user will be shown as 'nobody', and programs like sudo / su will not work.

nsproxy will create a new network_namespace for proxied application, so the networking between inside and outside of the namespace is isolated. There's no route to the inside of the namespace. It's unable to establish a connection to the inside from the outside. In addition, abstract UNIX domain sockets are isolated too.

Connections to loopback addresses will not be proxied, and those addresses are not referenced to the host, they are referenced to the inside of the namespace.

TODO

• HTTP / SOCKS authentication
• IPv6
• fullcone NAT

CREDITS

lwip - A Lightweight TCP/IP stack https://savannah.nongnu.org/projects/lwip/

slirp4netns - User-mode networking for unprivileged network namespaces https://github.com/rootless-containers/slirp4netns

LICENSE

Copyright (C) 2023 NaLan ZeYu nalanzeyu@gmail.com

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.