Can we proxy ICMP message (To transfer ping)
Yes, actually we can ONLY do this in Linux with trojan NAT run type.
Linux system provide client process many useful functions, including receiving and sending RAW IP packet that we call RAW socket, so we can receive a IP datagram with ICMP message from system and send it to trojan server and then server will take a part of NAT function to send this IP datagram out.
This is a low-level feature for trojan proxy service users, most common users needn't it, they just want to proxy TCP/UDP, (known as web/app visiting and gaming), but as a developer, I always want to see the traceroute information and ping's latency when I touch proxy kind things, no one can do this, so I realized by myself.
All codes are shown in icmpd.cpp, you can read them if you have interest. You can enable this feature but config, both in client and server:
{
"run_type": "nat",
"local_addr": "0.0.0.0",
"local_port": 2062,
...
"experimental":{
...
"pipeline_proxy_icmp" : true
}
}
There is an important thing I must to say, ICMP proxy needs "nat" run type, because it needs iptables transfer icmp message to local system, as transparent proxy UDP:
ip route add local 0/0 dev lo table 100
ip rule add fwmark 1 lookup 100
...
iptables -t mangle -N ICMP_PROXY
iptables -t mangle -A ICMP_PROXY -p icmp -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p icmp -j ICMP_PROXY
same as UDP, it's hard to proxy for "nat" system itself (known as software router).
After configure properly, you will use ping:
and tracert in Windows:
After researching, most Linux distributions use UDP datagram with limited TTL/HOPSLIMIT to trigger traceroute instead of simple ICMP message, but trojan origin protocol haven't transfer the TTL/HOPSLIMIT to server and send out, so it will be invalid in via Linux's traceroute:
to fix this problem, I must change the trojan origin protocol, it might not be well, the good news is MTR/WINMTR will be support:
