search

zfl9 / ipt2socks

将 iptables/nftables 传入的透明代理流量转为 socks5 流量的实用工具
GNU Affero General Public License v3.0
411 stars 94 forks source link

[Question] How can I forward traffic across network namespaces with ipt2socks? #44

Closed phantomcraft closed 1 year ago

phantomcraft commented 1 year ago

I'm trying to forward traffic across namespaces, basically I set up a transparent proxy inside a network namespace and forward the traffic to another one.

I create namespaces and set up all the rest with:

ip netns add nsx ip netns add nsy ip link add vethx type veth peer name peerx netns nsx ip link set vethx up ip address add 10.0.0.1/24 dev vethx ip netns exec nsx ip link set peerx up ip netns exec nsx ip address add 10.0.0.2/24 dev peerx ip netns exec nsx ip link add vethy type veth peer name peery netns nsy ip netns exec nsx ip link set vethy up ip netns exec nsx ip address add 10.0.1.1/24 dev vethy ip netns exec nsx sysctl -w net.ipv4.conf.peerx.forwarding=1 ip netns exec nsx sysctl -w net.ipv4.conf.vethy.forwarding=1 ip netns exec nsx sysctl -w net.ipv4.ip_forward=1 ip netns exec nsy ip link set peery up ip netns exec nsy ip address add 10.0.1.2/24 dev peery ip netns exec nsy ip route add default via 10.0.1.1 dev peery

Rules are added in the network namespace "nsx":

ip netns exec nsx ip rule add fwmark 1088 table 100 ip netns exec nsx ip route add local default dev vethy table 100

Iptables rule is added:

ip netns exec nsx iptables -t mangle -A PREROUTING -i vethy -p tcp -j TPROXY -s 10.0.1.2 --on-ip 10.0.0.1 --on-port 19040 --tproxy-mark 1088

But when I try to connect I get this:

root@localhost:/home/user# dig @1.1.1.1 duckduckgo.com ; <<>> DiG 9.18.1-1-Debian <<>> @1.1.1.1 duckduckgo.com ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached

============================

So, what can be done to make the connection be made successfully?

phantomcraft commented 1 year ago

@zfl9

As I tested, TPROXY can't send packets to non-local address in my scheme. Is there a way to make TPROXY "see" the address passed with --on-ip option if this address is non-local?

zfl9 commented 1 year ago

对linux namespace这块不是很熟悉,没法给你提供帮助:rofl:

phantomcraft commented 1 year ago

After reading a lot, I realized that the listening port for TPROXY must be listening on a local address, not an external one, so my scheme is impossible to work.

Closing this.