Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
a Netfilter powered UDP proxy
C
Branch: master

README.md

Introduction

udpproxy allows to proxy UDP flows using Netfilter queuing capabilities. This is not just an UDP relay: the destination does not need to be known in advance. First, flows to be proxied need to be selected with the help of iptables:

For example:

# iptables -A OUTPUT -p udp --dport 161 \
   --destination 172.16.100.0/23 -j NFQUEUE --queue-num 10

Then, udpproxy is launched and will relay the packets sent to queue 10:

# udpproxy -e "ssh somehost ./udpproxy" -q 10

The remote udpproxy does not have to run as root. It only uses unpriviledged operations.

udpproxy does not handle fragmentation at all. If you use programs that sends large packets, you should create a dummy interface with a large MTU and route packets to this interface. udpproxy will then receives the packets unfragmented and forward them to the remote proxy which will relies on operating system to handle fragmentation.

Installation

You can get udpproxy from the git repository:

$ git clone git://git.luffy.cx/udpproxy.git

udpproxy uses autotools. So, you should get ready with:

$ autoreconf -i
$ ./configure
$ make
$ sudo make install

You need libevent and libnetfilter_queue. If you don't have the latest one, only client-side operations will be allowed.

Usage

You can get help with:

$ udpproxy -h

A simple invocation will start udpproxy stating the command to invoke the remote udpproxy with -e switch and selecting the right Netfilter queue with -q switch:

$ udpproxy -e "ssh somehost ./udpproxy" -q 10

On server-side, udpproxy needs root privileges. However, the remote one does not need to and usually, you want to run ssh command as an unprivileged user. You can use -u and -g switches for this:

# udpproxy -u 1000 -g 100 -e "ssh somehost ./udpproxy" -q 10

Or, with the help of the shell:

# udpproxy -u $(id -u) -g $(id -g) -e "ssh somehost ./udpproxy" -q 10
Something went wrong with that request. Please try again.