maemo.org - Talk

maemo.org - Talk (https://talk.maemo.org/index.php)
-   SailfishOS (https://talk.maemo.org/forumdisplay.php?f=52)
-   -   Transparent socks proxy (shadowsocks and ssh tunnel) (https://talk.maemo.org/showthread.php?t=92703)

gexc 2014-02-16 11:23
Transparent socks proxy (shadowsocks and ssh tunnel)
 
redsocks, pdnsd, shadowsocks-libev and proxychains are uploaded to openrepos

pdnsd

pdnsd is needed for dealing with dns poisoning
sample config file for pdnsd (/etc/pdnsd.conf):

Code:
global {
        perm_cache=1024;
        cache_dir="/var/cache/pdnsd";
#      pid_file = /var/run/pdnsd.pid;
        run_as="nobody";
        server_ip = 127.0.0.1;  # Use eth0 here if you want to allow other
        server_port = 5353; #Since port 53 is used by connman, pdnsd has to be configured to use another port and the DNS queries will be redirected to it by iptables
                                # machines on your network to query pdnsd.
        status_ctl = on;
        paranoid=on;      # This option reduces the chance of cache poisoning
                          # but may make pdnsd less efficient, unfortunately.
        query_method=tcp_only;
        min_ttl=1h;      # Retain cached entries at least 15 minutes.
        max_ttl=1w;        # One week.
        timeout=10;        # Global timeout option (10 seconds).
        neg_domain_pol=on;
        udpbufsize=1024;  # Upper limit on the size of UDP messages.
}

# replace this with any dns servers
server {
        label= "google";
        ip = 8.8.8.8, 8.8.4.4;  # Put your ISP’s DNS-server address(es) here.
        timeout=4;        # Server timeout; this may be much shorter
                          # that the global timeout option.
        uptest=ping;        # Test if the network interface is active.
        purge_cache=off;  # Keep stale cache entries in case the ISP’s
                          # DNS servers go offline.
        edns_query=no;    # Use EDNS for outgoing queries to allow UDP messages
                          # larger than 512 bytes. May cause trouble with some
                          # legacy systems.
}
source {
        owner=localhost;
#      serve_aliases=on;
        file="/etc/hosts";
}
rr {
        name=localhost;
        reverse=on;
        a=127.0.0.1;
        owner=localhost;
        soa=localhost,root.localhost,42,86400,900,86400,86400;
}
shadowsocks

shadowsocks is a lightweight and secure socks5 proxy. It can replace the ssh tunnel. Also shadowsocks-libev has ss-redir which works as a transparent proxy, so redsocks is not needed. :D

sample config file for shadowsocks (/home/nemo/.shadowsocks/ss-config.json)

Code:
{
        "server":"replace_with_your_server",
        "server_port":replace_with_your_server_port,
        "local_port":7777,
        "password":"replace_with_your_password",
        "timeout":600,
        "method":"aes-256-cfb"
}
iptables

iptables needs to be set up to redirect the network traffic to our socks proxy. CAUTION: MESSING UP WITH IPTABLES MAY JAM YOUR NETWORK:D

a dirty script for iptables config (iptables-ss.sh)

Code:
#!/bin/sh
PORT=7777
DNSPORT=5353
SERVER=replace_with_your_server
PDNSDCFG=/etc/pdnsd.conf
SSLOG=/dev/null
SSCFG=/home/nemo/.shadowsocks/ss-config.json

if [ "$1" = "start" ] ;then
#echo "Starting pdnsd"
iptables -t nat -F
iptables -t nat -X
pkill -U $USER pdnsd
pdnsd -d -mto -c $PDNSDCFG
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports $DNSPORT #redirect dns queries
#echo "Setting iptables"

iptables -t nat -N SHADOWSOCKS
iptables -t nat -A SHADOWSOCKS -d $SERVER -j RETURN
iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports $PORT
iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS
exit 0;
elif [ "$1" = "stop" ]; then
pkill -U $USER pdnsd
iptables -t nat -F
iptables -t nat -X
exit 0;

elif [ "$1" = "start-ss" ]; then
pkill -U $USER ss-redir
nohup ss-redir -c $SSCFG > $SSLOG &
exit 0;
elif [ "$1" = "stop-ss" ]; then
pkill -U $USER ss-redir
exit 0;
else
exit 1;
fi
iptables-ss.sh start-ss will start shadowsocks and keep it running in the background
iptables-ss.sh start will (re-)start pdnsd and set up iptables rules
iptables-ss.sh stop will do the reverse
iptables-ss.sh stop-ss will kill the shadowsocks process (not really needed)

redsocks

If ssh tunnel is preferred then redsocks is used for creating the transparent proxy.

sample config file (/home/nemo/.redsocks/redsocks.conf)
Code:
base {
        // debug: connection progress & client list on SIGUSR1
        log_debug = off;

        // info: start and end of client session
        log_info = on;

        /* possible `log' values are:
        *  stderr
        *  "file:/path/to/file"
        *  syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
        */
        log = "file:/home/nemo/.redsocks/redsocks.log";
        // log = "file:/path/to/file";
        // log = "syslog:local7";

        // detach from console
        daemon = on;

        /* Change uid, gid and root directory, these options require root
        * privilegies on startup.
        * Note, your chroot may requre /etc/localtime if you write log to syslog.
        * Log is opened before chroot & uid changing.
        */
        // user = nobody;
        // group = nobody;
        // chroot = "/var/chroot";

        /* possible `redirector' values are:
        *  iptables  - for Linux
        *  ipf        - for FreeBSD
        *  pf        - for OpenBSD
        *  generic    - some generic redirector that MAY work
        */
        redirector = iptables;
}

redsocks {
        /* `local_ip' defaults to 127.0.0.1 for security reasons,
        * use 0.0.0.0 if you want to listen on every interface.
        * `local_*' are used as port to redirect to.
        */
        local_ip = 127.0.0.1;
        local_port = 12345;

        // listen() queue length. Default value is SOMAXCONN and it should be
        // good enough for most of us.
        // listenq = 128; // SOMAXCONN equals 128 on my Linux box.

        // `max_accept_backoff` is a delay to retry `accept()` after accept
        // failure (e.g. due to lack of file descriptors). It's measured in
        // milliseconds and maximal value is 65535. `min_accept_backoff` is
        // used as initial backoff value and as a damper for `accept() after
        // close()` logic.
        // min_accept_backoff = 100;
        // max_accept_backoff = 60000;

        // `ip' and `port' are IP and tcp-port of proxy-server
        // You can also use hostname instead of IP, only one (random)
        // address of multihomed host will be used.

ip = 127.0.0.1;
port = 7777; // the ssh tunneling port


        // known types: socks4, socks5, http-connect, http-relay
        type = socks5;


}

redudp {
        // `local_ip' should not be 0.0.0.0 as it's also used for outgoing
        // packets that are sent as replies - and it should be fixed
        // if we want NAT to work properly.
        local_ip = 127.0.0.1;
        local_port = 10053;

        // `ip' and `port' of socks5 proxy server.
ip = 127.0.0.1;
port = 7777;
        // redsocks knows about two options while redirecting UDP packets at
        // linux: TPROXY and REDIRECT.  TPROXY requires more complex routing
        // configuration and fresh kernel (>= 2.6.37 according to squid
        // developers[1]) but has hack-free way to get original destination
        // address, REDIRECT is easier to configure, but requires `dest_ip` and
        // `dest_port` to be set, limiting packet redirection to single
        // destination.
        // [1] http://wiki.squid-cache.org/Features/Tproxy4
        dest_ip = 8.8.8.8;
        dest_port = 53;

        udp_timeout = 30;
        udp_timeout_stream = 180;
}

dnstc {
        // fake and really dumb DNS server that returns "truncated answer" to
        // every query via UDP, RFC-compliant resolver should repeat same query
        // via TCP in this case.
        local_ip = 127.0.0.1;
        local_port = 5300;
}

// you can add more `redsocks' and `redudp' sections if you need.
iptables config for redsocks

a dirtier iptables script for redsocks :D (redsocks.sh)
Code:
#!/bin/sh

IPTABLES="/sbin/iptables"
REDSOCKS="/usr/bin/redsocks"
REDSOCKSCFG="/home/nemo/.redsocks/redsocks.conf"
REDSOCKS_PORT="12345" #local_port in $REDSOCKSCFG
PDNSDCFG="/etc/pdnsd.conf"
SERVER="your_ssh_server"

if [ "$1" = "start" ]; then
        echo '(Re)starting redsocks...'
        pkill -U $USER redsocks 2>/dev/null
        sleep 1
        $REDSOCKS -c $REDSOCKSCFG
        echo '(Re)starting pdnsd'
        pkill -U $USER pdnsd 2>/dev/null
        pdnsd -d -mto -c $PDNSDCFG
        $IPTABLES -t nat -F
        $IPTABLES -t nat -X
        $IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353 #redirect dns queries


        $IPTABLES -t nat -D PREROUTING -p tcp -j REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -D OUTPUT    -p tcp -j REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -F REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -X REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -F REDSOCKS 2>/dev/null
        $IPTABLES -t nat -X REDSOCKS 2>/dev/null

# Create our own chain
        $IPTABLES -t nat -N REDSOCKS
        $IPTABLES -t nat -N REDSOCKS_FILTER

# Do not try to redirect local traffic
        $IPTABLES -t nat -I REDSOCKS_FILTER -o lo -j RETURN


# Do not redirect LAN traffic and some other reserved addresses. (blacklist option)
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 0.0.0.0/8 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 10.0.0.0/8 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 127.0.0.0/8 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 169.254.0.0/16 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 172.16.0.0/12 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 192.168.0.0/16 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 224.0.0.0/4 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 240.0.0.0/4 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d $SERVER -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -j REDSOCKS

# Redirect all traffic that gets to the end of our chain
        $IPTABLES -t nat -A REDSOCKS  -p tcp -j REDIRECT --to-port $REDSOCKS_PORT

## Filter all traffic from the own host
## BE CAREFULL HERE IF THE SOCKS-SERVER RUNS ON THIS MACHINE
        $IPTABLES -t nat -A OUTPUT    -p tcp -j REDSOCKS_FILTER

# Filter all traffic that is routed over this host
        $IPTABLES -t nat -A PREROUTING -p tcp -j REDSOCKS_FILTER

        echo IPtables reconfigured.
        exit 0;
elif [ "$1" = "stop" ]; then
        $IPTABLES -t nat -F
        $IPTABLES -t nat -X
        killall redsocks
        killall pdnsd
        exit 0;
else
        exit 1;
fi
(set up an ssh tunnel first)
redsocks.sh start : start redsocks, pdnsd and set up iptables rules
redsocks.sh stop : undo everything

Proxychains

proxychains is a hook preloader that allows to redirect TCP traffic of existing dynamically linked programs through one or more SOCKS or HTTP proxies.

It can be used to launch a single app whose traffic will go through a chains of proxies defined in /etc/proxychains.conf (default is 127.0.0.1:9050 for tor). Domain names are resolved in the proxy side.

Usage example:
Code:
proxychains4 sailfish-browser
Works fine with ssh tunnel and ss-local, but does not work with ss-redir

issues

No gui (yet) :p
The network gets jammed after switching from wifi to 3g or vice versa. The iptables scripts need to be restarted after every network switching. Not sure about the cause, maybe the rules are messed up after all...:confused:

nieldk 2014-02-16 14:07
Re: Transparent socks proxy through ssh tunnel
 
thanks, I will try this trick with my tor package :)

gexc 2014-04-07 14:50
Re: Transparent socks proxy through ssh tunnel
 
shadowsocks-libev compiles and works out-of-the-box :D

gexc 2014-05-16 07:07
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
bump for some update

王布兔 2014-05-18 15:38
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
great job
But still feel slightly more power consumption

nieldk 2014-05-18 16:13
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
unfortunately the solution that works (tordns with iptables) gives another issue in my experience - it seems Store doesnt like it, I assume its due to tordns not having dns records for Jolla repositories.
So, the proxy/iptables or just having the browser using tor (like my package) seems to be the compromise ATM.

gexc 2014-05-19 02:16
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
Quote:
Originally Posted by nieldk (Post 1425837)
unfortunately the solution that works (tordns with iptables) gives another issue in my experience - it seems Store doesnt like it, I assume its due to tordns not having dns records for Jolla repositories.
So, the proxy/iptables or just having the browser using tor (like my package) seems to be the compromise ATM.
is it possible to put the ip of releases.jolla.com in /etc/hosts to avoid the dns query altogether ?

MastaG 2014-07-03 14:47
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
So I installed nieldk's Tor package from the warhouse store.
According to the package notes it'll setup a proxy for the webbrowser.

Is it possible to make the phone completely transparant by using tordns and iptables? With the ability to switch between 3G and Wifi?

gexc 2014-07-03 15:32
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
Quote:
Originally Posted by MastaG (Post 1431733)
So I installed nieldk's Tor package from the warhouse store.
According to the package notes it'll setup a proxy for the webbrowser.

Is it possible to make the phone completely transparant by using tordns and iptables? With the ability to switch between 3G and Wifi?
redsocks/iptables should work with tor, I haven't tried though.

It seems there is no auto-switching. After network switching iptables have to be toggled off and on again manually. Haven't figure out why...:confused:

nieldk 2014-07-03 15:36
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
Quote:
Originally Posted by gexc (Post 1431735)
redsocks/iptables should work with tor, I haven't tried though.

It seems there is no auto-switching. After network switching iptables have to be toggled off and on again manually. Haven't figure out why...:confused:
you can make that automatic with some systemd magic, which can reload eg iptables after network switch

MastaG 2014-07-04 09:05
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
ahhh thanks nieldk!
I'll look into this.

nieldk 2014-07-04 09:13
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
You will probably need to look at this, to ensure that services are indeed started AFTER network is UP ;)
Yeah, systemd has some issues (Linus is Yelling at the maintainer)
http://www.freedesktop.org/wiki/Soft...NetworkTarget/

MastaG 2014-07-04 09:37
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
Thanks nieldk!
I'm a bit new to the Sailfish OS.

So if I understand it correctly:

The dhclient should always set 127.0.0.1 as nameserver (no matter what).

This script:

Code:
#!/bin/sh
#the UID that Tor runs as (varies from system to system)
_tor_uid="0"
#Tor's TransPort
_trans_port="9040"
### flush iptables
iptables -F
iptables -t nat -F
### set iptables *nat
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
#allow clearnet access for hosts: 127.0.0.0/9 127.128.0.0/10
iptables -t nat -A OUTPUT -d 127.0.0.0/9 -j RETURN
iptables -t nat -A OUTPUT -d 127.128.0.0/10 -j RETURN
#redirect all other output to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
### set iptables *filter
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow clearnet access for hosts: 127.0.0.0/8
iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
#allow only Tor output
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
iptables -A OUTPUT -j REJECT
#Security fix
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
Should run after Tor daemon has been started and after every network switch (the systemd part).

Then all outgoing traffic (except for localhost) will be routed trough Tor and I'll be able to resolve .onion names.

Also I'll be flagged as an "extremist" by the NSA according to recent news :P

gexc 2015-10-03 01:29
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
Unfortunately I am not familiar with the ProxyCommand option. Maybe someone else here can help you out?

gexc 2015-10-04 01:53
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
Perhaps you need to allow the traffic to the remote proxy, which your local proxy 127.0.0.1:3339 connects to.

nieldk 2015-10-04 06:40
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
Quote:
Originally Posted by gexc (Post 1484346)
Perhaps you need to allow the traffic to the remote proxy, which your local proxy 127.0.0.1:3339 connects to.
I believe that is the case. I dont ser iptables allowing traffic to 8.8.8.8. For DNS forward.

gexc 2015-10-04 07:32
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
iptables -t nat -A REDSOCKS -d xxx.xxx.xxx.xxx -j RETURN

replace the xxx's with your remote proxy server

nieldk 2015-10-04 08:38
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
Read up on iptables usage :)
For example: http://www.cyberciti.biz/faq/linux-p...with-iptables/

nieldk 2015-10-04 14:19
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
My guess, DNS is not setup correctly.
Either in DHCP its not given, or, iptables is blocking DNS requests.

0312birdzhang 2017-12-05 01:44
Re: Transparent socks proxy (shadowsocks and ssh tunnel)
 
I made a UI for this(the backend use gost https://github.com/ginuerzh/gost/blo...r/README_en.md )

https://openrepos.net/content/birdzh...gs-gost-button
:D


All times are GMT. The time now is 19:39.

vBulletin® Version 3.8.8