Merge pull request #8 from shadowy-pycoder/auto

Auto configuration for redirect proxy

Author: shadowy-pycoder

README.md

@@ -97,7 +97,7 @@ You can download the binary for your platform from [Releases](https://github.com
 Example:
 
 ```shell
-HPTS_RELEASE=v1.8.0; wget -v https://github.com/shadowy-pycoder/go-http-proxy-to-socks/releases/download/$HPTS_RELEASE/gohpts-$HPTS_RELEASE-linux-amd64.tar.gz -O gohpts && tar xvzf gohpts && mv -f gohpts-$HPTS_RELEASE-linux-amd64 gohpts && ./gohpts -h
+HPTS_RELEASE=v1.8.1; wget -v https://github.com/shadowy-pycoder/go-http-proxy-to-socks/releases/download/$HPTS_RELEASE/gohpts-$HPTS_RELEASE-linux-amd64.tar.gz -O gohpts && tar xvzf gohpts && mv -f gohpts-$HPTS_RELEASE-linux-amd64 gohpts && ./gohpts -h
 ```
 
 Alternatively, you can install it using `go install` command (requires Go [1.24](https://go.dev/doc/install) or later):
@@ -143,6 +143,8 @@ Options:
         Address of transparent proxy server (no HTTP)
   -U string
         User for HTTP proxy (basic auth). This flag invokes prompt for password (not echoed to terminal)
+  -auto
+        Automatically setup iptables for transparent proxy (requires elevated privileges)
   -body
         Collect request and response body for HTTP sniffing
   -c string
@@ -375,6 +377,16 @@ iptables -t nat -F GOHPTS
 iptables -t nat -X GOHPTS
 ```
 
+### Auto configuration for `redirect` mode
+
+To configure your system automatically, run the following command:
+
+```shell
+sudo env PATH=$PATH gohpts -d -T 8888 -M redirect -auto
+```
+
+Please note, automatic configuration requires `sudo` and is very generic, which might not be suitable for your needs.
+
 ## `tproxy` (via _MANGLE_ and _IP_TRANSPARENT_)
 
 [[Back]](#table-of-contents)

cmd/gohpts/cli.go

@@ -54,6 +54,7 @@ func root(args []string) error {
 			conf.TProxyMode = flagValue
 			return nil
 		})
+		flags.BoolVar(&conf.Auto, "auto", false, "Automatically setup iptables for transparent proxy (requires elevated privileges)")
 	}
 	flags.StringVar(&conf.LogFilePath, "logfile", "", "Log file path (Default: stdout)")
 	flags.BoolVar(&conf.Debug, "d", false, "Show logs in DEBUG mode")
@@ -101,6 +102,14 @@ func root(args []string) error {
 			return fmt.Errorf("transparent proxy mode requires -t or -T flag")
 		}
 	}
+	if seen["auto"] {
+		if !seen["t"] && !seen["T"] {
+			return fmt.Errorf("-auto requires -t or -T flag")
+		}
+		if conf.TProxyMode != "redirect" {
+			return fmt.Errorf("-auto is available only for -M redirect")
+		}
+	}
 	if seen["f"] {
 		for _, da := range []string{"s", "u", "U", "c", "k", "l"} {
 			if seen[da] {

gohpts.go

@@ -18,6 +18,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"os/exec"
 	"os/signal"
 	"regexp"
 	"runtime"
@@ -86,6 +87,7 @@ type Config struct {
 	TProxy         string
 	TProxyOnly     string
 	TProxyMode     string
+	Auto           bool
 	LogFilePath    string
 	Debug          bool
 	Json           bool
@@ -107,6 +109,7 @@ type proxyapp struct {
 	httpServerAddr string
 	tproxyAddr     string
 	tproxyMode     string
+	auto           bool
 	user           string
 	pass           string
 	proxychain     chain
@@ -1143,6 +1146,99 @@ func (p *proxyapp) handler() http.HandlerFunc {
 	}
 }
 
+func (p *proxyapp) applyRedirectRules() string {
+	cmd0 := exec.Command("bash", "-c", `
+    set -ex
+    iptables -t nat -D PREROUTING -p tcp -j GOHPTS 2>/dev/null || true
+    iptables -t nat -D OUTPUT -p tcp -j GOHPTS 2>/dev/null || true
+    iptables -t nat -F GOHPTS 2>/dev/null || true
+    iptables -t nat -X GOHPTS 2>/dev/null || true
+    `)
+	cmd0.Stdout = os.Stdout
+	cmd0.Stderr = os.Stderr
+	if err := cmd0.Run(); err != nil {
+		p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+	}
+	_, tproxyPort, _ := net.SplitHostPort(p.tproxyAddr)
+	cmd1 := exec.Command("bash", "-c", fmt.Sprintf(`
+    set -ex
+    iptables -t nat -N GOHPTS 2>/dev/null 
+    iptables -t nat -F GOHPTS 
+     
+    iptables -t nat -A GOHPTS -d 127.0.0.0/8 -j RETURN 
+    iptables -t nat -A GOHPTS -p tcp --dport %s -j RETURN
+    iptables -t nat -A GOHPTS -p tcp --dport 22 -j RETURN
+    `, tproxyPort))
+	cmd1.Stdout = os.Stdout
+	cmd1.Stderr = os.Stderr
+	if err := cmd1.Run(); err != nil {
+		p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+	}
+	if p.httpServerAddr != "" {
+		_, httpPort, _ := net.SplitHostPort(p.httpServerAddr)
+		cmd2 := exec.Command("bash", "-c", fmt.Sprintf(`
+        set -ex
+        iptables -t nat -A GOHPTS -p tcp --dport %s -j RETURN
+        `, httpPort))
+		cmd2.Stdout = os.Stdout
+		cmd2.Stderr = os.Stderr
+		if err := cmd2.Run(); err != nil {
+			p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+		}
+	}
+	cmd3 := exec.Command("bash", "-c", fmt.Sprintf(`
+    set -ex
+    if command -v docker >/dev/null 2>&1
+    then
+        for subnet in $(docker network inspect $(docker network ls -q) --format '{{range .IPAM.Config}}{{.Subnet}}{{end}}'); do
+          iptables -t nat -A GOHPTS -d "$subnet" -j RETURN
+        done
+    fi 
+
+    iptables -t nat -A GOHPTS -p tcp -j REDIRECT --to-ports %s
+
+    iptables -t nat -C PREROUTING -p tcp -j GOHPTS 2>/dev/null || \
+    iptables -t nat -A PREROUTING -p tcp -j GOHPTS
+
+    iptables -t nat -C OUTPUT -p tcp -j GOHPTS 2>/dev/null || \
+    iptables -t nat -A OUTPUT -p tcp -j GOHPTS
+    `, tproxyPort))
+	cmd3.Stdout = os.Stdout
+	cmd3.Stderr = os.Stderr
+	if err := cmd3.Run(); err != nil {
+		p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+	}
+	cmd4 := exec.Command("bash", "-c", `
+    cat /proc/sys/net/ipv4/ip_forward
+    `)
+	output, err := cmd4.CombinedOutput()
+	if err != nil {
+		p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+	}
+	cmd5 := exec.Command("bash", "-c", `
+    set -ex
+    sysctl -w net.ipv4.ip_forward=1
+    `)
+	cmd5.Stdout = os.Stdout
+	cmd5.Stderr = os.Stderr
+	_ = cmd5.Run()
+	return string(output)
+}
+
+func (p *proxyapp) clearRedirectRules(output string) error {
+	cmd := exec.Command("bash", "-c", fmt.Sprintf(`
+    set -ex
+    iptables -t nat -D PREROUTING -p tcp -j GOHPTS 2>/dev/null || true
+    iptables -t nat -D OUTPUT -p tcp -j GOHPTS 2>/dev/null || true
+    iptables -t nat -F GOHPTS 2>/dev/null || true
+    iptables -t nat -X GOHPTS 2>/dev/null || true
+    sysctl -w net.ipv4.ip_forward=%s
+    `, output))
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
+
 func (p *proxyapp) Run() {
 	done := make(chan bool)
 	quit := make(chan os.Signal, 1)
@@ -1151,6 +1247,10 @@ func (p *proxyapp) Run() {
 	if p.tproxyAddr != "" {
 		tproxyServer = newTproxyServer(p)
 	}
+	var output string
+	if p.auto {
+		output = p.applyRedirectRules()
+	}
 	if p.proxylist != nil {
 		chainType := p.proxychain.Type
 		var ctl string
@@ -1170,6 +1270,12 @@ func (p *proxyapp) Run() {
 	if p.httpServer != nil {
 		go func() {
 			<-quit
+			if p.auto {
+				err := p.clearRedirectRules(output)
+				if err != nil {
+					p.logger.Error().Err(err).Msg("Failed clearing iptables rules")
+				}
+			}
 			if tproxyServer != nil {
 				p.logger.Info().Msg("[tproxy] Server is shutting down...")
 				tproxyServer.Shutdown()
@@ -1205,6 +1311,12 @@ func (p *proxyapp) Run() {
 	} else {
 		go func() {
 			<-quit
+			if p.auto {
+				err := p.clearRedirectRules(output)
+				if err != nil {
+					p.logger.Error().Err(err).Msg("Failed clearing iptables rules")
+				}
+			}
 			p.logger.Info().Msg("[tproxy] Server is shutting down...")
 			tproxyServer.Shutdown()
 			close(done)
@@ -1259,20 +1371,26 @@ type serverConfig struct {
 	Server    server       `yaml:"server"`
 }
 
-func getFullAddress(v string) string {
+func getFullAddress(v string) (string, error) {
 	if v == "" {
-		return ""
-	}
-	var addr string
-	i, err := strconv.Atoi(v)
-	if err == nil {
-		addr = fmt.Sprintf("127.0.0.1:%d", i)
-	} else if strings.HasPrefix(v, ":") {
-		addr = fmt.Sprintf("127.0.0.1%s", v)
-	} else {
-		addr = v
+		return "", nil
+	}
+	if i, err := strconv.Atoi(v); err == nil {
+		return fmt.Sprintf("127.0.0.1:%d", i), nil
+	}
+	host, port, err := net.SplitHostPort(v)
+	if err != nil {
+		return "", err
+	}
+	if host != "" && port == "" {
+		return "", fmt.Errorf("port is missing")
+	}
+	if host != "" && port != "" {
+		return v, nil
+	} else if port != "" {
+		return fmt.Sprintf("127.0.0.1:%s", port), nil
 	}
-	return addr
+	return "", fmt.Errorf("failed parsing address")
 }
 
 func expandPath(p string) string {
@@ -1290,6 +1408,7 @@ func New(conf *Config) *proxyapp {
 	var p proxyapp
 	var logfile *os.File = os.Stdout
 	var snifflog *os.File
+	var err error
 	p.sniff = conf.Sniff
 	p.body = conf.Body
 	p.json = conf.Json
@@ -1418,9 +1537,19 @@ func New(conf *Config) *proxyapp {
 	p.tproxyMode = conf.TProxyMode
 	tproxyonly := conf.TProxyOnly != ""
 	if tproxyonly {
-		p.tproxyAddr = getFullAddress(conf.TProxyOnly)
+		p.tproxyAddr, err = getFullAddress(conf.TProxyOnly)
+		if err != nil {
+			p.logger.Fatal().Err(err).Msg("")
+		}
 	} else {
-		p.tproxyAddr = getFullAddress(conf.TProxy)
+		p.tproxyAddr, err = getFullAddress(conf.TProxy)
+		if err != nil {
+			p.logger.Fatal().Err(err).Msg("")
+		}
+	}
+	p.auto = conf.Auto
+	if p.auto && p.tproxyMode != "" && p.tproxyMode != "redirect" {
+		p.logger.Fatal().Msg("Auto setup is available only for redirect mode")
 	}
 	var addrHTTP, addrSOCKS, certFile, keyFile string
 	if conf.ServerConfPath != "" {
@@ -1437,7 +1566,10 @@ func New(conf *Config) *proxyapp {
 			if sconf.Server.Address == "" {
 				p.logger.Fatal().Err(err).Msg("[server config] Server address is empty")
 			}
-			addrHTTP = getFullAddress(sconf.Server.Address)
+			addrHTTP, err = getFullAddress(sconf.Server.Address)
+			if err != nil {
+				p.logger.Fatal().Err(err).Msg("")
+			}
 			p.httpServerAddr = addrHTTP
 			certFile = expandPath(sconf.Server.CertFile)
 			keyFile = expandPath(sconf.Server.KeyFile)
@@ -1452,7 +1584,10 @@ func New(conf *Config) *proxyapp {
 		}
 		seen := make(map[string]struct{})
 		for idx, pr := range p.proxylist {
-			addr := getFullAddress(pr.Address)
+			addr, err := getFullAddress(pr.Address)
+			if err != nil {
+				p.logger.Fatal().Err(err).Msg("")
+			}
 			if _, ok := seen[addr]; !ok {
 				seen[addr] = struct{}{}
 				p.proxylist[idx].Address = addr
@@ -1468,14 +1603,20 @@ func New(conf *Config) *proxyapp {
 		p.rrIndexReset = rrIndexMax
 	} else {
 		if !tproxyonly {
-			addrHTTP = getFullAddress(conf.AddrHTTP)
+			addrHTTP, err = getFullAddress(conf.AddrHTTP)
+			if err != nil {
+				p.logger.Fatal().Err(err).Msg("")
+			}
 			p.httpServerAddr = addrHTTP
 			certFile = expandPath(conf.CertFile)
 			keyFile = expandPath(conf.KeyFile)
 			p.user = conf.ServerUser
 			p.pass = conf.ServerPass
 		}
-		addrSOCKS = getFullAddress(conf.AddrSOCKS)
+		addrSOCKS, err = getFullAddress(conf.AddrSOCKS)
+		if err != nil {
+			p.logger.Fatal().Err(err).Msg("")
+		}
 		auth := proxy.Auth{
 			User:     conf.User,
 			Password: conf.Pass,

tproxy_linux.go

@@ -54,7 +54,7 @@ func newTproxyServer(pa *proxyapp) *tproxyServer {
 	if err != nil {
 		var msg string
 		if errors.Is(err, unix.EPERM) {
-			msg = "try `sudo setcap 'cap_net_admin+ep` for the binary:"
+			msg = "try `sudo setcap 'cap_net_admin+ep` for the binary or run with sudo:"
 		}
 		ts.pa.logger.Fatal().Err(err).Msg(msg)
 	}

version.go

@@ -1,3 +1,3 @@
 package gohpts
 
-const Version string = "gohpts v1.8.0"
+const Version string = "gohpts v1.8.1"