search

semigodking / redsocks

transparent redirector of any TCP/UDP connection to proxy
Apache License 2.0
1.16k stars 246 forks source link

Enabling Transparent UDP non local traffic redirection using TProxy with Docker #204

Open T0bi-Ethirbirge opened 1 month ago

T0bi-Ethirbirge commented 1 month ago

I'm working on a transparent Shadowsocks server that relays all its traffic through Redsocks. The TCP part works without any problems but the UDP proved difficult. I know TProxy doesn't work on the output chain so I have tried to have a docker container to host the Shadowsocks server and relay the docker container traffic through Redsocks using TProxy. That works because the container traffic would go through the PREROUTING chain first.

IPTables commands:

iptables -t mangle -A PREROUTING -s 172.17.0.2 -p udp -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m mark --mark 1 -p udp -j TPROXY --tproxy-mark 1 --on-port 12346
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

Redocks Config

base {
        log_debug = on;
        log_info = on;
        log = stderr;
        daemon = off;
        redirector = iptables;
        reuseport = off;
}

redsocks {
        bind = "127.0.0.1:12345";
        relay = "proxy-ip:proxy-port";
        type = socks5;
        timeout = 10;
        login = "username";
        password = "password";
}

redudp {
        bind = "127.0.0.1:12346";
        relay = "proxy-ip:proxy-port";
        login = "username";
        password = "password";
        type = socks5;
        udp_timeout = 30;
}

Nothing appears on the Redsocks' console, gets redirected to Redsocks, and the UDP traffic is blocked.

using the command sudo iptables -t mangle -L PREROUTING -v -n I can see that the IPTables command filters the UDP traffic but nothing gets sent or redirected.

Any help would be appreciated. Thank you.

ge9 commented 3 days ago

Actually TPROXY works with OUTPUT chain: https://v2.hysteria.network/docs/advanced/TPROXY/ But, firstly, can you try turning of the firewall, if any? I learned that ufw's ufw-not-local chain drops TPROXYied packets. Also, it looks better to change iptables -t mangle -A PREROUTING -s 172.17.0.2 -p udp -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m mark --mark 1 -p udp -j TPROXY --tproxy-mark 1 --on-port 12346 to iptables -t mangle -A PREROUTING -s 172.17.0.2 -p udp -j TPROXY --tproxy-mark 1 --on-port 12346 because --set-mark and --tproxy-mark basically does the same thing.