transparent TCP-to-proxy redirector
C Python Shell Makefile
Clone or download
Latest commit 5df6a30 Feb 1, 2018
Permalink
Failed to load latest commit information.
debian Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
doc Add README from balabit.com - it's nice doc about TPROXY. Dec 4, 2012
tests Fix typo Aug 19, 2016
tools Script to auto-repack releases into better tarballs. fixes #27 Aug 31, 2012
.gitignore Add `gen` to .gitignore Jan 26, 2018
.travis.yml travis: add `libevent-dev` as build-dep Jan 26, 2018
Makefile Add `dnsu2t` module to convert DNS/UDP to DNS/TCP Jan 26, 2018
README.md Update README Feb 1, 2018
base.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
base.h Implement `redsocks_conn_max` option, simplify accept-backoff Apr 14, 2016
base64.c add base64 and md5 library for http auth Nov 14, 2010
base64.h minor fixes Nov 14, 2010
debug.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
dnstc.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
dnstc.h Added dnstc service that serves any UDP DNS-like request with TC flag. Sep 21, 2011
dnsu2t.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
dnsu2t.h Add `dnsu2t` module to convert DNS/UDP to DNS/TCP Jan 26, 2018
http-auth.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
http-auth.h Add `on_proxy_fail` to inform user's browser about sort of failure Apr 12, 2016
http-connect.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
http-relay.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
libc-compat.h Fix compilation on Ubuntu 10.04 LTS and (hopefully) Debian squeeze[1] Sep 11, 2012
libevent-compat.h Fix compilation on Ubuntu 10.04 LTS and (hopefully) Debian squeeze[1] Sep 11, 2012
list.h Use __typeof instead of typeof. Jul 4, 2014
log.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
log.h Add naive zero-copy implementation using `splice` Apr 3, 2016
main.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
main.h Add quick-n-dirty debugging code to estimate memory usage. Mar 17, 2016
md5.c add base64 and md5 library for http auth Nov 14, 2010
md5.h add base64 and md5 library for http auth Nov 14, 2010
parser.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
parser.h Implement `redsocks_conn_max` option, simplify accept-backoff Apr 14, 2016
redsocks.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
redsocks.conf.example Add `dnsu2t` module to convert DNS/UDP to DNS/TCP Jan 26, 2018
redsocks.h Implement `redsocks_conn_max` option, simplify accept-backoff Apr 14, 2016
redsocks.service Replace 'su' cruft with systemd's 'User=' Feb 13, 2013
redudp.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
redudp.h Initial support for UDP + TPROXY redirection. No more dest_ip in redudp. Apr 12, 2012
socks4.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
socks5.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
socks5.h Move socks4 & socks5 login/password config syntax check to startup Apr 3, 2016
utils.c Bump year in `Copyright` mark, ouch that is ancient soft! Jan 26, 2018
utils.h Add `dnsu2t` module to convert DNS/UDP to DNS/TCP Jan 26, 2018
version.h Added -h, -? CLI options for help & -v for redsocks-version. Nov 26, 2011

README.md

redsocks – transparent TCP-to-proxy redirector

This tool allows you to redirect any TCP connection to SOCKS or HTTPS proxy using your firewall, so redirection may be system-wide or network-wide.

When is resocks useful?

  • you want to route part of TCP traffic via OpenSSH DynamicForward Socks5 port using firewall policies. That was original redsocks development goal;
  • you use DVB ISP and this ISP provides internet connectivity with some special daemon that may be also called "Internet accelerator" and the accelerator acts as a proxy and has no "transparent proxy" feature and you need it. Globax was an example of alike accelerator, but Globax 5 has transparent proxy feature. That was the second redsocks` development goal;
  • you have to pass traffic through proxy due to corporate network limitation. That was never a goal for redsocks, but users have reported success with some proxy configurations.

When is redsocks probably a wrong tool?

  • redirecting traffic to tor. First, you have to use tor-aware software for anonymity. Second, use TransPort if you don't actually need anonymity. Third, question everything :-)
  • trying to redirect traffic of significant number of connections over single SSH connection. That's not exactly TCP over TCP, but head-of-line blocking will still happen and performance of real-time applications (IM, interactive Web applications) may be degraded during bulk transfers;
  • trying to make non-transparent HTTP-proxy (not HTTPS-proxy) transparent using http-relay module. First, it will likely be broken as the code is hack. Second, the code is vulnerable to CVE-2009-0801 and will unlikely be ever fixed;
  • making "really" transparent proxy, redsocks acts at TCP level, so three-way handshake is completed and redsocks accepts connection before connection through proxy (and to proxy) is established;
  • trying to redirect traffic of significant number of connections in resource-constrained environment like SOHO Linux router. Throughput of single connection may be good enough like 40 Mbit/s on TP-Link TD-W8980, but amount of concurrent connections may be limiting factor as TCP buffers are still consumed;
  • redirecting traffic to proxy on mobile device running Android or iOS as it'll require rooting to update firewall rules. Probably, the better way is to use on-device VPN daemon to intercept traffic via VpnService API for Android and NETunnelProvider family of APIs for iOS. That may require some code doing TCP Reassembly like tun2socks.

Linux/iptables is supported. OpenBSD/pf and FreeBSD/ipfw may work with some hacks. The author has no permanent root access to machines running OpenBSD, FreeBSD and MacOSX to test and develop for these platforms.

Transocks is alike project but it has noticable performance penality.

Transsocks_ev is alike project too, but it has no HTTPS-proxy support and does not support authentication.

Several Android apps also use redsocks under-the-hood: ProxyDroid and sshtunnel . And that's over 1'500'000 downloads! Wow!

Features

Redirect any TCP connection to Socks4, Socks5 or HTTPS (HTTP/CONNECT) proxy server.

Login/password authentication is supported for Socks5/HTTPS connections. Socks4 supports only username, password is ignored. for HTTPS, currently only Basic and Digest scheme is supported.

Redirect UDP packets via Socks5 proxy server. NB: UDP still goes via UDP, so you can't relay UDP via OpenSSH.

Handle DNS/UDP queries sending "truncated reply" as an answer or making them DNS/TCP queries to some recursive resolver.

Redirect any HTTP connection to proxy that does not support transparent proxying (e.g. old SQUID had broken `acl myport' for such connections).

Enforcing DNS over TCP using dnstc

DNS is running over UDP and it may be an issue in some environments as proxy servers usually don't handle UDP as a first-class citizen. Redsocks includes dnstc that is fake and really dumb DNS server that returns "truncated answer" to every query via UDP. RFC-compliant resolver should repeat same query via TCP in this case - so the request can be redirected using usual redsocks facilities.

Known compliant resolvers are:

  • bind9 (server);
  • dig, nslookup (tools based on bind9 code).

Known non-compliant resolvers are:

  • eglibc resolver fails without any attempt to send request via TCP;
  • powerdns-recursor can't properly startup without UDP connectivity as it can't load root hints.

On the other hand, DNS via TCP using bind9 may be painfully slow. If your bind9 setup is really slow, you may want to try pdnsd caching server that can run in TCP-only mode.

Relaying DNS/UDP to DNS/TCP via dnsu2t

The code acts as DNS server that multiplexes several UDP queries into single stream of TCP queries over keep-alive connection to upstream DNS server that should be recursive resolver. TCP connection may be handled by redsocks itself if firewall is configured with corresponding rules.

Different resolvers have different timeouts and allow different count of in-flight connections, so you have to tune options yourself for optimal performance (with some black magic, as script testing for optimal DNS/TCP connection parameters is not written yet).

There are other programs doing alike job (with, probably, different bugs)

Source

Source is available at GitHub.

Issue tracker is also at GitHub, but keep in mind that the project is not actively maintained, so feature requests will unlikely be implemented within reasonable timeframe. Reproducable bugs having clean desciption will likely be fixed. Destiny of hard-to-reproduce bugs is hard to predict.

New network protocols will unlikely be implemented within this source tree, but if you're seeking for censorship circumvention protocols, you may want to take a look at redsocks2 by Zhuofei Wang AKA @semigodking who is actively maintaining the fork with GFW in mind.

License

All source code is licensed under Apache 2.0 license. You can get a copy at http://www.apache.org/licenses/LICENSE-2.0.html

Packages

Compilation

libevent-2.0.x is required.

gcc and clang are supported right now, other compilers can be used but may require some code changes.

Compilation is as easy as running make, there is no ./configure magic.

GNU Make works, other implementations of make were not tested.

Running

Program has following command-line options:

  • -c sets proper path to config file ("./redsocks.conf" is default one)
  • -t tests config file syntax
  • -p set a file to write the getpid() into

Following signals are understood: SIGUSR1 dumps list of connected clients to log, SIGTERM and SIGINT terminates daemon, all active connections are closed.

You can see configuration file example in redsocks.conf.example.

iptables example

You have to build iptables with connection tracking and REDIRECT target.

# Create new chain
root# iptables -t nat -N REDSOCKS

# Ignore LANs and some other reserved addresses.
# See http://en.wikipedia.org/wiki/Reserved_IP_addresses#Reserved_IPv4_addresses
# and http://tools.ietf.org/html/rfc5735 for full list of reserved networks.
root# iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
root# iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
root# iptables -t nat -A REDSOCKS -d 100.64.0.0/10 -j RETURN
root# iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
root# iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
root# iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
root# iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
root# iptables -t nat -A REDSOCKS -d 198.18.0.0/15 -j RETURN
root# iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
root# iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN

# Anything else should be redirected to port 12345
root# iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

# Any tcp connection made by `luser' should be redirected.
root# iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner luser -j REDSOCKS

# You can also control that in more precise way using `gid-owner` from
# iptables.
root# groupadd socksified
root# usermod --append --groups socksified luser
root# iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner socksified -j REDSOCKS

# Now you can launch your specific application with GID `socksified` and it
# will be... socksified. See following commands (numbers may vary).
# Note: you may have to relogin to apply `usermod` changes.
luser$ id
uid=1000(luser) gid=1000(luser) groups=1000(luser),1001(socksified)
luser$ sg socksified -c id
uid=1000(luser) gid=1001(socksified) groups=1000(luser),1001(socksified)
luser$ sg socksified -c "firefox"

# If you want to configure socksifying router, you should look at
# doc/iptables-packet-flow.png, doc/iptables-packet-flow-ng.png and
# https://en.wikipedia.org/wiki/File:Netfilter-packet-flow.svg
# Note, you should have proper `local_ip' value to get external packets with
# redsocks, default 127.0.0.1 will not go. See iptables(8) manpage regarding
# REDIRECT target for details.
# Depending on your network configuration iptables conf. may be as easy as:
root# iptables -t nat -A PREROUTING --in-interface eth_int -p tcp -j REDSOCKS

Note about GID-based redirection

Keep in mind, that changed GID affects filesystem permissions, so if your application creates some files, the files will be created with luser:socksified owner/group. So, if you're not the only user in the group socksified and your umask allows to create group-readable files and your directory permissions, and so on, blah-blah, etc. THEN you may expose your files to another user. Ok, you have been warned.

Homepage

http://darkk.net.ru/redsocks/

Mailing list: redsocks@librelist.com.

Mailing list also has archives.

Author

This program was written by Leonid Evdokimov leon@darkk.net.ru