search

zfl9 / ipt2socks

将 iptables/nftables 传入的透明代理流量转为 socks5 流量的实用工具
GNU Affero General Public License v3.0
411 stars 94 forks source link

Can't forward UDP to a sub-net with tproxy #40

Closed phantomcraft closed 2 years ago

phantomcraft commented 2 years ago

I want to forward UDP from a sub-net to ipt2socks via its trproxy port.

I added this rules:

ip rule add fwmark 1088 table 100
ip route add local default dev eth2 table 100

iptables -t mangle -A OUTPUT -o eth2 -p udp -j MARK --set-mark 1088
iptables -t mangle -A PREROUTING -i eth2 -p udp -j TPROXY --on-ip 10.0.0.1 --on-port 10000 --tproxy-mark 1088

sysctl -w net.ipv4.conf.eth2.forwarding=1

/\ "eth2" has 10.0.0.1/24 as IP and the peer has 10.0.0.2/24

This is the ipt2socks log:

root@localhost:/home/user# ipt2socks -v --server-addr 127.0.0.1 --server-port 9000 --listen-addr4 10.0.0.1 --listen-port 10000 --udp-only
2021-10-08 22:07:11 INF: [main] server address: 127.0.0.1#9000
2021-10-08 22:07:11 INF: [main] listen address: 10.0.0.1#10000
2021-10-08 22:07:11 INF: [main] listen address: ::1#10000
2021-10-08 22:07:11 INF: [main] udp cache maximum size: 256
2021-10-08 22:07:11 INF: [main] udp socket idle timeout: 60
2021-10-08 22:07:11 INF: [main] number of worker threads: 1
2021-10-08 22:07:11 INF: [main] enable udp transparent proxy
2021-10-08 22:07:11 INF: [main] verbose mode (affect performance)
2021-10-08 22:07:18 INF: [udp_tproxy_recvmsg_cb] recv from 10.0.0.2#42208, nrecv:45
2021-10-08 22:07:18 INF: [udp_tproxy_recvmsg_cb] try to connect to 127.0.0.1#9000 ...
2021-10-08 22:07:18 INF: [udp_socks5_connect_cb] connect to 127.0.0.1#9000 succeeded
2021-10-08 22:07:18 INF: [udp_socks5_send_authreq_cb] send to 127.0.0.1#9000, nsend:3
2021-10-08 22:07:18 INF: [udp_socks5_recv_authresp_cb] recv from 127.0.0.1#9000, nrecv:2
2021-10-08 22:07:18 INF: [udp_socks5_recv_authresp_cb] send to 127.0.0.1#9000, nsend:10
2021-10-08 22:07:18 INF: [udp_socks5_recv_proxyresp_cb] recv from 127.0.0.1#9000, nrecv:10
2021-10-08 22:07:18 INF: [udp_socks5_recv_proxyresp_cb] send to 1.1.1.1#53, nsend:55
2021-10-08 22:07:18 INF: [udp_socks5_recv_udpmessage_cb] recv from 1.1.1.1#53, nrecv:59
2021-10-08 22:07:18 INF: [udp_socks5_recv_udpmessage_cb] send to 10.0.0.2#42208, nsend:49
2021-10-08 22:07:23 INF: [udp_tproxy_recvmsg_cb] recv from 10.0.0.2#42208, nrecv:45
2021-10-08 22:07:23 INF: [udp_tproxy_recvmsg_cb] send to 1.1.1.1#53, nsend:55
2021-10-08 22:07:23 INF: [udp_socks5_recv_udpmessage_cb] recv from 1.1.1.1#53, nrecv:59
2021-10-08 22:07:23 INF: [udp_socks5_recv_udpmessage_cb] send to 10.0.0.2#42208, nsend:49
2021-10-08 22:07:28 INF: [udp_tproxy_recvmsg_cb] recv from 10.0.0.2#42208, nrecv:45
2021-10-08 22:07:28 INF: [udp_tproxy_recvmsg_cb] send to 1.1.1.1#53, nsend:55
2021-10-08 22:07:28 INF: [udp_socks5_recv_udpmessage_cb] recv from 1.1.1.1#53, nrecv:59
2021-10-08 22:07:28 INF: [udp_socks5_recv_udpmessage_cb] send to 10.0.0.2#42208, nsend:49

This is the socks5 server log:

user@localhost:~$ socks -l -p9000
211009020629.225 9000 00000 - 0.0.0.0:9000 0.0.0.0:0 0 0 0 Accepting connections [23981/4196337472]
211009020706.622 9000 00000 - 127.0.0.1:39238 1.1.1.1:53 135 147 0 UDPMAP 0.0.0.0:0
phantomcraft commented 2 years ago

Just complementing, the connections come from 10.0.0.2 address, perhaps is this what causes this error, maybe ipt2socks only works with 127.0.0.1 address?

zfl9 commented 2 years ago

也许吧,我没有以此种方式使用过ipt2socks。我都是监听127.0.0.1地址的。

phantomcraft commented 2 years ago

The tproxy server and socks5 server are working:

Screenshot from 2021-10-10 21-20-24

I think it's my iptables rules that are missing something that prevents the UDP packet for going through sub-net (eth2).

Can someone help me?

phantomcraft commented 2 years ago

I removed the rule in OUTPUT chain and now it works fine:

ip netns add nsx
ip li add vethx type veth peer name peerx netns nsx
ip li set vethx up
ip addr add 10.0.0.1/24 dev vethx
ip netns exec nsx ip li set lo up
ip netns exec nsx ip li set peerx up
ip netns exec nsx ip addr add 10.0.0.2/24 dev peerx
ip netns exec nsx ip route add default via 10.0.0.1 dev peerx

ip rule add fwmark 1088 table 100
ip route add local default dev vethx table 100

iptables -t mangle -A PREROUTING -i vethx -p udp -j TPROXY --on-ip 10.0.0.1 --on-port 10000 --tproxy-mark 1088

sysctl -w net.ipv4.conf.vethx.forwarding=1
root@localhost:/home/user# ip netns exec nsx dig @1.1.1.1 g.co

; <<>> DiG 9.16.15-Debian <<>> @1.1.1.1 g.co
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1000
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;g.co.              IN  A

;; ANSWER SECTION:
g.co.           254 IN  A   142.250.219.238

;; Query time: 24 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Oct 11 00:58:48 EDT 2021
;; MSG SIZE  rcvd: 49