J
J
joebloest2021-09-24 23:40:26
linux
joebloest, 2021-09-24 23:40:26

Iptables - how to proxy socks5 to eth0?

I need help, paid or free - it doesn't matter!

I want to make a router out of disassemble pi, but there are no such manuals.

Disassemble connects to the Internet via wlan0 wifi. Openvpn is
deployed inside and tor over vpn, then traffic through Tor is routed to the LAN connector eth0

The computer connected via LAN to disassemble receives the Internet through tor, and tor in turn goes through vpn.
When the torus or vpn breaks, the Internet breaks on eth0

Manuals for the reverse setup, when the Internet is connected to the wire, and there are a lot of vpn through Wi-Fi.

I chose REDSOCKS as the proxy software

Tor runs on local port 127.0.0.1:1080

I configured Iptables in such a way that traffic does not bypass OpenVPN, so Tor only works when VPN is connected.

Next, I checked, the easiest option without redsocks - routed traffic from tun0 to eth0 - the computer connected through eth0, ping goes through, but this is through vpn.

It remains to correctly route traffic incoming and outgoing to eth0 in redsocks.

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

Iptables working option - VPN routing on eth0

# Generated by xtables-save
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed
# Generated by xtables-save
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s 185.111.111.111/32 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -d 185.111.111.111/32 -o wlan0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed


Not a working option when eth0 should be routed to redsocks

# Generated by xtables-save
*nat
:PREROUTING ACCEPT [2:143]
:INPUT ACCEPT [1:67]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [4:268]
:REDSOCKS - [0:0]
-A PREROUTING -i eth0 -p tcp -j REDSOCKS
-A PREROUTING -i eth0 -p udp -m udp --dport 53 -j REDSOCKS
-A POSTROUTING -o tun0 -j MASQUERADE
-A OUTPUT -p tcp -m tcp --dport 53 -j REDSOCKS
-A REDSOCKS -d 0.0.0.0/8 -j RETURN
-A REDSOCKS -d 10.0.0.0/8 -j RETURN
-A REDSOCKS -d 127.0.0.0/8 -j RETURN
-A REDSOCKS -d 169.254.0.0/16 -j RETURN
-A REDSOCKS -d 172.16.0.0/12 -j RETURN
-A REDSOCKS -d 192.168.0.0/16 -j RETURN
-A REDSOCKS -d 224.0.0.0/4 -j RETURN
-A REDSOCKS -d 240.0.0.0/4 -j RETURN
-A REDSOCKS -p tcp -j REDIRECT --to-ports 10080
-A REDSOCKS -p udp -m udp --dport 53 -j REDIRECT --to-ports 1053
COMMIT
# Completed
# Generated by xtables-save
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s 185.111.111.111/32 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -d 185.111.111.111/32 -o wlan0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed


REDSOCKS
config Redsocks compiled without shadowsocks, but for socks5 it is not needed

base {
  // debug: connection progress & client list on SIGUSR1
  log_debug = off;

  // info: start and end of client session
  log_info = on;

  /* possible `log' values are:
   *   stderr
   *   "file:/path/to/file"
   *   syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
   */
  log = stderr;
  // log = "file:/path/to/file";
  // log = "syslog:local7";

  // detach from console
  daemon = off;

  /* Change uid, gid and root directory, these options require root
   * privilegies on startup.
   * Note, your chroot may requre /etc/localtime if you write log to syslog.
   * Log is opened before chroot & uid changing.
   * Debian, Ubuntu and some other distributions use `nogroup` instead of
   * `nobody`, so change it according to your system if you want redsocks
   * to drop root privileges.
   */
  // user = nobody;
  // group = nobody;
  // chroot = "/var/chroot";

  /* possible `redirector' values are:
   *   iptables   - for Linux
   *   ipf        - for FreeBSD
   *   pf         - for OpenBSD
   *   generic    - some generic redirector that MAY work
   */
  redirector = iptables;

  /* Override per-socket values for TCP_KEEPIDLE, TCP_KEEPCNT,
   * and TCP_KEEPINTVL. see man 7 tcp for details.
   * `redsocks' relies on SO_KEEPALIVE option heavily. */
  //tcp_keepalive_time = 0;
  //tcp_keepalive_probes = 0;
  //tcp_keepalive_intvl = 0;

  /* Enable or disable Linux 3.9+ specific socket option SO_REUSEPORT.
   * Some older versions of Linux like CentOS 6.5 (Kernel 2.6.32) also
   # support this option.
   * Default to off.
   */
  reuseport = off;
}

redsocks {
  /* `bind' defaults to 127.0.0.1:0 for security reasons,
   * use 0.0.0.0 if you want to listen on every interface.
   * `bind' are used as ip:port to redirect to.
   */
  bind = "0.0.0.0:10080";

  // listen() queue length. Default value is SOMAXCONN and it should be
  // good enough for most of us.
  // listenq = 128; // SOMAXCONN equals 128 on my Linux box.

  // `max_accept_backoff` is a delay to retry `accept()` after accept
  // failure (e.g. due to lack of file descriptors). It's measured in
  // milliseconds and maximal value is 65535. `min_accept_backoff` is
  // used as initial backoff value and as a damper for `accept() after
  // close()` logic.
  // min_accept_backoff = 100;
  // max_accept_backoff = 60000;

  // `relay` is IP address and port of proxy-server. Domain name is not
  // supported yet.
  // Can be:
  //     [IPv6Address]:port
  //     [IPv6Address]
  //     IPv6Address
  //     IPv4Address:port
  //     IPv4Address
  // If no port is given, 0 is used. Usually, a valid port is required.
  relay = "127.0.0.1:1080";

  // known types: socks4, socks5, http-connect, http-relay
  // New types: direct, shadowsocks, https-connect
  // For type direct:
  //     if `relay` is not specified, connections will be forwarded to
  // original destinations.
  //     if `relay` is filled with valid IP address, connections will be
  // forwarded to IP address defined in `relay`. It is useful when you
  // just want to forward connections to a specific IP address without
  // transparent proxy. E.g. forward IPv4:port to IPv6:port.
  type = socks5;

  // Specify interface for outgoing connections.
  // This is useful when you have multiple connections to
  // internet or when you have VPN connections.
  // interface = tun0;

  // Change this parameter to 1 if you want auto proxy feature. 
  // When autoproxy is set to non-zero, the connection to target
  // will be made directly first. If direct connection to target
  // fails for timeout/connection refuse, redsocks will try to
  // connect to target via the proxy.
  autoproxy = 0;
  // timeout is meaningful when 'autoproxy' is non-zero.
  // It specified timeout value when trying to connect to destination
  // directly. Default is 10 seconds. When it is set to 0, default
  // timeout value will be used.
  timeout = 10;

  // login = "foobar";// field 'login' is reused as encryption
             // method of shadowsocks
  // password = "baz";
}



tcpdns {
  // Transform UDP DNS requests into TCP DNS requests.
  // You can also redirect connections to external TCP DNS server to
  // REDSOCKS transparent proxy via iptables.
  bind = "0.0.0.0:1053"; // Local server to act as DNS server
  tcpdns1 = "8.8.4.4:53";    // DNS server that supports TCP DNS requests
  tcpdns2 = "8.8.8.8" ;      // DNS server that supports TCP DNS requests
  timeout = 4;               // Timeout value for TCP DNS requests
}


How to properly configure iptables for the second non-working option, or is it something else?
Who can help solve the problem?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
D
Drno, 2021-09-25
@Drno

For Linux, do not care if there is a wired or wireless connection.
Take any working manual and just substitute the name of your interfaces

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question