I use redsocks to redirect my traffic via a ssh -D connection on port 8080
When I point my browser's proxy to router:8080, I can access the following sites
When I leave my browser's proxy empty, iptables rules should catch the connection and redirect them to redsocks on port 12345 then to router:8080.

I can see that the connections are redirected to redsocks, but the sites doesn't load. Other https sites worked for me.

Sites are:
https://www.facebook.com/
https://plus.google.com

redsocks output for https://www.facebook.com/
1378343135.757457 redsocks.c:702 redsocks_accept_client(...) [192.168.1.149:50376->159.106.121.75:443]: accepted
1378343139.187509 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50376->159.106.121.75:443]: both client and server disconnected
1378343139.187628 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50376->159.106.121.75:443]: dropping client
1378343139.188126 redsocks.c:702 redsocks_accept_client(...) [192.168.1.149:50377->159.106.121.75:443]: accepted
1378343143.334325 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50334->173.194.72.84:443]: both client and server disconnected
1378343143.334468 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50334->173.194.72.84:443]: dropping client
1378343148.956355 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50322->173.194.127.81:443]: both client and server disconnected
1378343148.956559 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50322->173.194.127.81:443]: dropping client
1378343149.216688 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50335->74.125.128.132:443]: both client and server disconnected
1378343149.216807 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50335->74.125.128.132:443]: dropping client
1378343150.031977 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50337->74.125.235.160:443]: both client and server disconnected
1378343150.032156 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50337->74.125.235.160:443]: dropping client
1378343150.034353 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50338->74.125.128.120:443]: both client and server disconnected
1378343150.034469 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50338->74.125.128.120:443]: dropping client
1378343151.341934 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50340->74.125.128.189:443]: both client and server disconnected
1378343151.342049 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50340->74.125.128.189:443]: dropping client
1378343152.491525 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50343->74.125.31.100:443]: both client and server disconnected
1378343152.491705 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50343->74.125.31.100:443]: dropping client

Like discussed on the mailing list:
http://librelist.com/browser//redsocks/2012/5/15/transparent-proxy-dns-without-public-dns-server/#e8cb0f54932856f1c0cc9259e24cb089

1. implement a fake DNS resolver
2. catch DNS request
3. query the the proxy over TCP (option, because UDP is sometimes blocked) or UDP (option) to do the hostname resolution
4. give the result back to the fake DNS resolver

Hi,

Would be nice to see support for IPv6 added to redsocks.

and I cannot configure redirector to be fw.

Following discussion in #29 add a non forking option for systemd/upstart init systems to have cleaner restart-on-crash policy.

Hi.
I work since 3 months on a reverse tethering program for android.

I have problem with the redsocks program .I want to forward UDP (DNS)
The packet send from redsocks is well received in my java program. (rfc1928-socks5.txt -> UDP ASSOCIATE)
I decode the stream (reserved2 frag1 addrType1 adrN port2 dataN) send by redsocks to remove the header and pass the buffer to my host .
Host respond correctly (with dns answer),
I add an header (reserved2 frag1 addrType1 adrN port2 dataN) and send back to redsocks.

I got this error in redsock log :
1320607466.643320 redudp.c:471 redudp_pkt_from_socks(...) [192.168.1.2:62473->127.0.0.1:9500]: Got packet from unexpected address 127.0.0.1:9500.

It seams that redudp_pkt_from_socks() don't parse the header correctly

if (memcmp(&udprelayaddr, &client->udprelayaddr, sizeof(udprelayaddr)) != 0) {
    char buf[INET6_ADDRSTRLEN];
    const char *addr = inet_ntop(udprelayaddr.sin_family, &udprelayaddr.sin_addr, buf, sizeof(buf));
    redudp_log_error(client, LOG_NOTICE, "Got packet from unexpected address %s:%u.",
                     addr ? addr : "?", ntohs(udprelayaddr.sin_port));
    return;
} 

So I would like to compile the library to add traces (client->udprelayaddr) to understand the problem.

The question is how to compile redsocks (for android) ???
I am a basically a windows developper.

I installed kunbuntu on a virtual machine to compile, but when I run 'make' I have this error :
utils.h:6:19: fatal error: event.h: No such file or directory

Libevent is required. Do I need to add an "include" tag somewhere with the correct path ?
Do I have to compile libevent first and how ?

Any help ???
Thanks in adance

I used this program as a transparent proxy gateway.
In most time it works like a charm.

But seems it quite often get into out of file descriptor problem. It both happens on mipsel openwrt and x86 debian box.

here is the log when issue appears.
http://pastebin.com/5ZmXRZQm

And here is my lsof snapshot when this problem happens:
http://pastebin.com/0UuWeguF

Seems have something to do with not cleanly close the connection?

direct access to buffer in "struct evbuffer" is forbidden in newer version of libevent(2.0.10):
clang -g -O2 -std=gnu99 -Wall -c -o redsocks.o redsocks.c
redsocks.c:185:69: error: incomplete definition of type 'struct evbuffer'
log_vwrite(file, line, func, do_errno, priority, (const char)fmt->buffer, ap);
~~~^
In file included from redsocks.c:29:
In file included from /usr/include/event.h:194:
/usr/include/event2/buffer.h:78:8: note: forward declaration of 'struct evbuffer'
struct evbuffer;
^
1 error generated.
make: *_* [redsocks.o] Error 1

i guess evbuffer is not the best choice as variable length buffer of printf.

Hello,

It would be great if redsocks could support proxy chaining... something like this would be really cool:

redsocks {
...
via {
ip
port
type
via{...}
}
}

edited

redsocks should include trivial DNS proxy that forwards UDP DNS requests via TCP to some real DNS server.

Hi,

Commit 6f8312b introduced tracked_event_set, which is defined as:

static void tracked_event_set(
               struct tracked_event *tev, evutil_socket_t fd, short events,
               void (*callback)(evutil_socket_t, short, void *), void *arg)

However, evutil_socket_t is was first defined in libevent 2.0.1, thus compilation with libevent 1.4 is currently broken, preventing the package from building on e.g. Debian stable. The definition of evutil_socket_t is pretty straightforward, and could be included in redsocks for backwards compatibility (not very clean, I know):

/**
 * A type wide enough to hold the output of "socket()" or "accept()".  On
 * Windows, this is an intptr_t; elsewhere, it is an int. */
#ifdef WIN32
#define evutil_socket_t intptr_t
#else
#define evutil_socket_t int
#endif

Thanks,
Apollon

Redsocks is not receiving iptables redirection via -m owner --gid-owner. Version redsocks/0.4.

Here is my environment.

iptables:

IPT=/sbin/iptables

# Clean configurations.
$IPT -t nat -F 
$IPT -t nat --delete-chain REDSOCKS || true # ignore error

# Create new chain
$IPT -t nat -N REDSOCKS || true

# Any tcp connection made by group `socksified' should be redirected.
$IPT -t nat -A OUTPUT -p tcp -m owner --gid-owner socksified -j REDSOCKS
# $IPT -t nat -A OUTPUT -p tcp -j REDSOCKS

# Ignore LANs and some other reserved addresses.
# See http://en.wikipedia.org/wiki/Reserved_IP_addresses#Reserved_IPv4_addresses
# and http://tools.ietf.org/html/rfc5735 for full list of reserved networks.
$IPT -t nat -A REDSOCKS -p tcp -j LOG --log-level debug --log-prefix "[REDSOCKS]"
$IPT -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
$IPT -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
$IPT -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
$IPT -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
$IPT -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
$IPT -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
$IPT -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
$IPT -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN

# Anything else should be redirected to port 8080
$IPT -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 8080

redsocks.conf:

base {
        log_debug = on;
        log_info = on;
        log = "file:/var/log/redsocks.log";
        daemon = on;

        user = redsocks;
        group = redsocks;
        redirector = iptables;
}

redsocks {
        local_ip = 127.0.0.1;
        local_port = 8080;

        ip = myproxy;
        port = 8080;

        type = http-connect;
}

Here are the groups for my user bruno:

$ id
uid=1000(bruno) gid=1000(bruno) groups=1000(bruno),4(adm),24(cdrom),27(sudo),30(dip),33(www-data),46(plugdev),108(lpadmin),110(sambashare),1001(wireshark),1002(socksified)

Tried with multiple groups.
Changing it to a user id, as -m owner --uid-owner bruno works.

I have installed REDSOCKS on latest ubuntu server. It has two interfaces

Client (192.168.1.21/24) -->int eth1(192.168.1.1/24) of Ubuntu server --Redsocks --int eth0(172.18.185.14/22) of Ubuntu Server -->ISP Proxy (172.28.21.240:8080) -->Internet

Client does not have the ability to configure proxy server
Redsocks.conf file
base{
log_debug=on;
log_info=on;
log= "syslog:daemon";
daemon=on;
redirector=iptables;
}
redsocks {
local_ip=192.168.1.1;
local_port=12345;
ip=172.28.21.240;
port=8080;
type=socks5;
}

Contents of iptables
*nat
:PREROUTING ACCEPT[217:36158]
:INPUT ACCEPT [1147:90444]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT[0:0]
:REDSOCKS - [0:0]

-A PREROUTING -i eth1 -p tcp -j REDSOCKS
-A POSTROUTING -o eth0 -j MASQUERADE
-A REDSOCKS -d 0.0.0.0/8 -j RETURN
-A REDSOCKS -d 127.0.0.0/8 -j RETURN
-A REDSOCKS -d 192.168.0.0/16 RETURN
-A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

*filter
:INPUT ACCEPT [10732:923988]
:FORWARD ACCEPT[581:108005]
:OUTPUT ACCEPT[7693:310754]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT

With the above configuration client can not access internet.

Please give some help.

Hi!
Shadowsocks user here.

Shadowsocks apparently has redsocks under the hood, so I decided to go here in hope of some englightment.

Usecase:

1. Force UDP AND TCP traffic that is going to a specific remote port to go through the proxy
2. Force UDP AND TCP traffic originating from a specific port range to go through the proxy

Why:
Impromptu SIP/VoIP hardening (because DTLS implementation on my softphone and my TURN server sucks royally)

Any hint? Sorry I'm not good in C :(

cc -g -O2 -std=gnu99 -Wall   -c -o redsocks.o redsocks.c
In file included from redsocks.c:18:
/usr//include/arpa/inet.h:74: warning: 'struct in_addr' declared inside parameter list
/usr//include/arpa/inet.h:74: warning: its scope is only this definition or declaration, which is probably not what you want
/usr//include/arpa/inet.h:75: warning: 'struct in_addr' declared inside parameter list
In file included from redsocks.c:27:
list.h:34:1: warning: "LIST_HEAD" redefined
In file included from /usr//include/event.h:166,
                 from redsocks.c:26:
/usr//include/sys/queue.h:167:1: warning: this is the location of the previous definition
redsocks.c: In function 'redsocks_onenter':
redsocks.c:87: error: 'AF_INET' undeclared (first use in this function)
redsocks.c:87: error: (Each undeclared identifier is reported only once
redsocks.c:87: error: for each function it appears in.)
redsocks.c: In function 'redsocks_relay_writecb':
redsocks.c:212: error: 'SHUT_WR' undeclared (first use in this function)
redsocks.c: In function 'redsocks_shutdown':
redsocks.c:312: error: 'SHUT_RD' undeclared (first use in this function)
redsocks.c:312: error: 'SHUT_WR' undeclared (first use in this function)
redsocks.c:312: error: 'SHUT_RDWR' undeclared (first use in this function)
redsocks.c:341: warning: implicit declaration of function 'shutdown'
redsocks.c: In function 'redsocks_event_error':
redsocks.c:380: error: 'SHUT_RD' undeclared (first use in this function)
redsocks.c:383: error: 'SHUT_WR' undeclared (first use in this function)
redsocks.c: In function 'redsocks_accept_client':
redsocks.c:544: warning: implicit declaration of function 'accept'
redsocks.c:555: warning: implicit declaration of function 'setsockopt'
redsocks.c:555: error: 'SOL_SOCKET' undeclared (first use in this function)
redsocks.c:555: error: 'SO_KEEPALIVE' undeclared (first use in this function)
redsocks.c: In function 'redsocks_debug_dump_instance':
redsocks.c:639: warning: format '%li' expects type 'long int', but argument 17 has type 'time_t'
redsocks.c:639: warning: format '%li' expects type 'long int', but argument 18 has type 'time_t'
redsocks.c: In function 'redsocks_init_instance':
redsocks.c:673: warning: implicit declaration of function 'socket'
redsocks.c:673: error: 'AF_INET' undeclared (first use in this function)
redsocks.c:673: error: 'SOCK_STREAM' undeclared (first use in this function)
redsocks.c:679: error: 'SOL_SOCKET' undeclared (first use in this function)
redsocks.c:679: error: 'SO_REUSEADDR' undeclared (first use in this function)
redsocks.c:685: warning: implicit declaration of function 'bind'
redsocks.c:697: warning: implicit declaration of function 'listen'
gmake: *** [redsocks.o] Error 1

kern.version=OpenBSD 4.8-current (GENERIC.MP) #605: Fri Dec 31 02:27:56 MST 2010
    [email protected]:/usr/src/sys/arch/i386/compile/GENERIC.MP

c -g -O2 -std=gnu99 -Wall -c -o utils.o utils.c
utils.c: In function ‘red_recv_udp_pkt’:
utils.c:58: error: ‘IP_ORIGDSTADDR’ undeclared (first use in this function)
utils.c:58: error: (Each undeclared identifier is reported only once
utils.c:58: error: for each function it appears in.)

darkk-redsocks-070bd77.zip
libevent 2.0.xx
ubuntu i386

utils.c: In function 'red_recv_udp_pkt':
utils.c:58:24: error: 'IP_ORIGDSTADDR' undeclared (first use in this function)
utils.c:58:24: note: each undeclared identifier is reported only once for each function it appears in

utils.c: In function 'red_recv_udp_pkt':
utils.c:58:24: error: 'IP_ORIGDSTADDR' undeclared (first use in this function)
utils.c:58:24: note: each undeclared identifier is reported only once for each function it appears in

misuzi@ubuntu:/openwrt/trunk/staging_dir/toolchain-mipsel_gcc-4.6-linaro_uClibc-0.9.33.2/include$ grep IP_ORIGDSTADDR netinet/in.h
misuzi@ubuntu:/openwrt/trunk/staging_dir/toolchain-mipsel_gcc-4.6-linaro_uClibc-0.9.33.2/include$

It would be good to have release tarballs to mark milestones. It helps a lot for distro packaging.
Thanks.

I cannot find a UDP with TPROXY iptables example in redsocks's documents. "redudp" part In redsocks.conf imply redsocks is able to redirect UDP packets, but I don't know how to implement that.

If possible, please provide a example of iptables in redirect UDP packets.

Thank you.

It looks like the connections are not being forwarded. This is the log that I get, any help is appreciated.

1305830541.173614 main.c:136 main(...) redsocks started
1305830541.182220 redsocks.c:661 redsocks_accept_client(...) [127.0.0.1:34235->127.0.0.1:8123]: accepted
1305830545.314117 redsocks.c:661 redsocks_accept_client(...) [127.0.0.1:40204->127.0.0.1:8123]: accepted
1305830545.567657 redsocks.c:661 redsocks_accept_client(...) [127.0.0.1:50745->127.0.0.1:8123]: accepted
1305830589.952484 redsocks.c:661 redsocks_accept_client(...) [127.0.0.1:51955->127.0.0.1:8123]: accepted
1305830642.700012 redsocks.c:661 redsocks_accept_client(...) [127.0.0.1:37212->127.0.0.1:8123]: accepted
1305830648.518951 main.c:142 main(...) redsocks goes down
1305830648.519439 redsocks.c:805 redsocks_fini_instance(...) There are connected clients during shutdown! Disconnecting them.
1305830648.520324 redsocks.c:310 redsocks_drop_client(...) [127.0.0.1:37212->127.0.0.1:8123]: dropping client
1305830648.521179 redsocks.c:310 redsocks_drop_client(...) [127.0.0.1:51955->127.0.0.1:8123]: dropping client
1305830648.521697 redsocks.c:310 redsocks_drop_client(...) [127.0.0.1:50745->127.0.0.1:8123]: dropping client
1305830648.522125 redsocks.c:310 redsocks_drop_client(...) [127.0.0.1:40204->127.0.0.1:8123]: dropping client
1305830648.522552 redsocks.c:310 redsocks_drop_client(...) [127.0.0.1:34235->127.0.0.1:8123]: dropping client
1305830649.680297 main.c:136 main(...) redsocks started
1305830649.683410 redsocks.c:661 redsocks_accept_client(...) [127.0.0.1:41455->127.0.0.1:8123]: accepted
1305830650.465576 redsocks.c:661 redsocks_accept_client(...) [127.0.0.1:42284->127.0.0.1:8123]: accepted
1305830684.795745 redsocks.c:661 redsocks_accept_client(...) [127.0.0.1:45418->127.0.0.1:8123]: accepted
1305830686.044189 redsocks.c:661 redsocks_accept_client(...) [127.0.0.1:60882->127.0.0.1:8123]: accepted
1305830686.594207 main.c:142 main(...) redsocks goes down
1305830686.594482 redsocks.c:805 redsocks_fini_instance(...) There are connected clients during shutdown! Disconnecting them.
1305830686.594665 redsocks.c:310 redsocks_drop_client(...) [127.0.0.1:60882->127.0.0.1:8123]: dropping client
1305830686.595642 redsocks.c:310 redsocks_drop_client(...) [127.0.0.1:45418->127.0.0.1:8123]: dropping client
1305830686.596221 redsocks.c:310 redsocks_drop_client(...) [127.0.0.1:42284->127.0.0.1:8123]: dropping client
1305830686.596740 redsocks.c:310 redsocks_drop_client(...) [127.0.0.1:41455->127.0.0.1:8123]: dropping client

Following discussion in #29, add a -u, --user option that allows redsocks
to drop root privileges and switch to the given userid. This will mean
questionable usage of su in init scripts can be dropped.

redudp.c has been using tfind / tsearch functions (defined in <search.h>) since commit 709646d, which causes the failure of cross-compiling for Android, because the Android standalone toolchain doesn't provide <search.h>, neither does it implements tfind related functions.

A quick fix can be done by downloading the missing files from here, put them into the redsocks repo, and update Makefile to add these dependencies. (tested on my machine and it works)

What do you think?

Redsocks does not work with UDP .
REDUDP configured but doesnt work in client side .

add option to limit the maximum size of log file

When built on Mac, I got .depend:1: *** missing separator. Stop.

make --version

GNU Make 3.81
Copyright (C) 2006  Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.

This program built for i386-apple-darwin11.3.0

Hi,

In its main loop, redsocks accept()s new connections and simply retries if accept() returns an error. However, this leads to an infinite loop in the following corner case:

1. If redsocks has reached its open file limit and
2. a new connection is being accept()ed,
3. then accept() fails because it cannot create a new file descriptor for the incoming connection, however
4. the client connection stays in the listening socket's backlog and thus
5. the listening socket appears EV_READ-ready and thus we immediately loop back to 2.

This loop causes 100% CPU utilization and logfile flooding with redsocks[1187]: accept: Too many open files, until a client connection is closed.

There are a number of ways to solve this (e.g. check that accept() does not return EMFILE and throttle), although IMHO the best one would be to perform a getrlimit(RLIMIT_NOFILE) on startup and keep track of how many fd's are currently in use before accept()ing. setrlimit() support would also be nice by the way ;-)

Thanks,
Apollon

When I try to compile source I get message:
root@linux:/home/test/1/darkk-redsocks-2b6dcc8# make
cc -g -O2 -std=gnu99 -Wall -c -o redsocks.o redsocks.c
redsocks.c: In function 'redsocks_log_write_plain':
redsocks.c:185: error: dereferencing pointer to incomplete type
make: *** [redsocks.o] Error 1

My gcc version is

root@linux:/home/test/1/darkk-redsocks-2b6dcc8# gcc -v
Using built-in specs.
Target: i486-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.3.3-5ubuntu4' -
-with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs --enable-languages=c,c++,
fortran,objc,obj-c++ --prefix=/usr --enable-shared --with-system-zlib --libexecd
ir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --wit
h-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3 --enable-clocale=gn
u --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --enable-targets=all -
-with-tune=generic --enable-checking=release --build=i486-linux-gnu --host=i486-
linux-gnu --target=i486-linux-gnu
Thread model: posix
gcc version 4.3.3 (Ubuntu 4.3.3-5ubuntu4)

uname -a
root@linux:/home/test/1/darkk-redsocks-2b6dcc8# uname -a
Linux colinux 2.6.33.7-co-0.7.9 #1 PREEMPT Mon Jan 31 22:17:54 UTC 2011 i686 GNU
/Linux

Where I work they use an old version (or a modified one) of redsocks that feature a fallback ip option (fip= in the redsocks.conf).

Are you aware of this option? How does it works? How can I implement it with the last version of redsocks?

Thanks in advance!!!!!

I'm having trouble resolving hostnames using redsocks.

When I access an IP address directly I can view the webpage however browsing to the hostname does not work.

My setup:
Raspberry Pi B+ 1 running Raspbian Jessie acting as a router with hostapd and dnsmasq. I'm using two identical wireless dongles. One is the main AP for all devices. The other dongle is creating another AP just for my iPhone to connect to which is running the proxy server (3proxy).

Here is my redsocks.conf:

base {
// debug: connection progress & client list on SIGUSR1
log_debug = off;

// info: start and end of client session
log_info = on;

/* possible `log' values are:
 *   stderr
 *   "file:/path/to/file"
 *   syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
 */
log = "syslog:daemon";

// detach from console
daemon = on;

/* Change uid, gid and root directory, these options require root
 * privilegies on startup.
 * Note, your chroot may requre /etc/localtime if you write log to syslog.
 * Log is opened before chroot & uid changing.
 */
user = redsocks;
group = redsocks;
// chroot = "/var/chroot";

/* possible `redirector' values are:
 *   iptables   - for Linux
 *   ipf        - for FreeBSD
 *   pf         - for OpenBSD
 *   generic    - some generic redirector that MAY work
 */
redirector = iptables;
}

redsocks {
/* `local_ip' defaults to 127.0.0.1 for security reasons,
 * use 0.0.0.0 if you want to listen on every interface.
 * `local_*' are used as port to redirect to.
 */
local_ip = 0.0.0.0;
local_port = 1081;

// `ip' and `port' are IP and tcp-port of proxy-server
// You can also use hostname instead of IP, only one (random)
// address of multihomed host will be used.
ip = 10.10.10.10;
port = 1080;


// known types: socks4, socks5, http-connect, http-relay
type = socks5;

// login = "foobar";
// password = "baz";
}

redudp {
// local_ip' should not be 0.0.0.0 as it's also used for outgoing
// packets that are sent as replies - and it should be fixed
// if we want NAT to work properly.
local_ip = 127.0.0.1;
local_port = 10053;

// ip' and `port' of socks5 proxy server.
ip = 10.10.10.10;
port = 1080;
//login = username;
//password = pazzw0rd;

// kernel does not give us this information, so we have to duplicate it
// in both iptables rules and configuration file.  By the way, you can
// set `local_ip' to 127.45.67.89 if you need more than 65535 ports to
// forward ;-)
// This limitation may be relaxed in future versions using contrack-tools.
dest_ip = 8.8.8.8;
dest_port = 53;

udp_timeout = 30;
udp_timeout_stream = 180;
}

dnstc {
// fake and really dumb DNS server that returns "truncated answer" to
// every query via UDP, RFC-compliant resolver should repeat same query
// via TCP in this case.
local_ip = 127.0.0.1;
local_port = 5300;
}

And here are my firewall settings with iptables (which I don't know much about so am assuming is where the problem lies):

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDSOCKS tcp -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REDSOCKS udp -- anywhere anywhere
REDSOCKS tcp -- anywhere anywhere

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain REDSOCKS (3 references)
target prot opt source destination
RETURN all -- anywhere default/8
RETURN all -- anywhere 10.0.0.0/8
RETURN all -- anywhere loopback/8
RETURN all -- anywhere link-local/16
RETURN all -- anywhere 172.16.0.0/12
RETURN all -- anywhere 224.0.0.0/4
RETURN all -- anywhere 240.0.0.0/4
REDIRECT tcp -- anywhere anywhere redir ports 1081
REDIRECT udp -- anywhere anywhere redir ports 10053

Any help you can give would be great. Like I said I can access IP addresses directly but can't get hostnames to resolve.

When configuring the browser to use socks through the phone when they are on the same network works just fine but I want to make the Pi a transparent socks proxy router and don't want to have to configure each device to use the socks proxy.

Thanks

How to config redsocks (and iptables?) so that the machine can act as a DNS resolver (that all DNS queries are handled through redsocks - (before redsocks delegates to some other local dns service)). Would be nice to have all DNS queries logged too

In redoscks.service it says:
EnvironmentFile=/etc/conf.d/redsocks

But this file is not created by default.

I just grabbed the latest version of redsocks and tried to build it on MacOS 10.8.2. There were a number of compilation errors all caused by SOL_IP not being declared. Am I missing any libraries or should this be declared by the makefile?

FYI: I temporarily worked around the issue by adding "-DSOL_IP=IPPROTO_IP" to the CFLAGS in the Makefile. This at least allowed me to compile & run redsocks.

Currently redsocks can't reopen log files. Workaround is to log to syslog and let syslog handle log rotation.

Hi, I'm trying to compile redsocks on OpenIndiana 151a system, but it failed as seen as below:

make

Unknown system, only generic firewall code is compiled
gcc -g -O2 -std=gnu99 -Wall -c -o parser.o parser.c
gcc -g -O2 -std=gnu99 -Wall -c -o main.o main.c
main.c: In function âmainâ:
main.c:139:3: warning: format â%dâ expects argument of type âintâ, but argument 3 has type âpid_tâ [-Wformat]
gcc -g -O2 -std=gnu99 -Wall -c -o redsocks.o redsocks.c
gcc -g -O2 -std=gnu99 -Wall -c -o log.o log.c
gcc -g -O2 -std=gnu99 -Wall -c -o http-connect.o http-connect.c
gcc -g -O2 -std=gnu99 -Wall -c -o socks4.o socks4.c
gcc -g -O2 -std=gnu99 -Wall -c -o socks5.o socks5.c
gcc -g -O2 -std=gnu99 -Wall -c -o http-relay.o http-relay.c
gcc -g -O2 -std=gnu99 -Wall -c -o base.o base.c
gcc -g -O2 -std=gnu99 -Wall -c -o base64.o base64.c
gcc -g -O2 -std=gnu99 -Wall -c -o md5.o md5.c
gcc -g -O2 -std=gnu99 -Wall -c -o http-auth.o http-auth.c
gcc -g -O2 -std=gnu99 -Wall -c -o utils.o utils.c
In file included from utils.c:28:0:
libc-compat.h:11:5: warning: #warning Using hardcoded value for IP_ORIGDSTADDR as libc headers do not define it. [-Wcpp]
libc-compat.h:16:5: warning: #warning Using hardcoded value for IP_RECVORIGDSTADDR as libc headers do not define it. [-Wcpp]
libc-compat.h:21:5: warning: #warning Using hardcoded value for IP_TRANSPARENT as libc headers do not define it. [-Wcpp]
utils.c: In function âred_recv_udp_pktâ:
utils.c:43:5: error: âstruct msghdrâ has no member named âmsg_controlâ
utils.c:44:5: error: âstruct msghdrâ has no member named âmsg_controllenâ
utils.c:56:15: warning: implicit declaration of function âCMSG_FIRSTHDRâ [-Wimplicit-function-declaration]
utils.c:56:31: warning: initialization makes pointer from integer without a cast [enabled by default]
utils.c:56:3: error: declaration of non-variable âCMSG_FIRSTHDRâ in âforâ loop initial declaration
utils.c:56:15: warning: implicit declaration of function âCMSG_NXTHDRâ [-Wimplicit-function-declaration]
utils.c:56:63: warning: assignment makes pointer from integer without a cast [enabled by default]
utils.c:58:25: error: âSOL_IPâ undeclared (first use in this function)
utils.c:58:25: note: each undeclared identifier is reported only once for each function it appears in
utils.c:60:5: warning: implicit declaration of function âCMSG_LENâ [-Wimplicit-function-declaration]
utils.c:62:44: warning: implicit declaration of function âCMSG_DATAâ [-Wimplicit-function-declaration]
make: *** [utils.o] Error 1

I don't know how could redsocks be compiled on Solaris system or not, please give a hand on it. Thanks.

Hi,

I'm trying to set up redsocks on my mac machine. I got it running, but I'm not sure how to configure pf to redirect traffic to it. With iptables I can do:

iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

But with pf I'm not sure. This is one configuration I found:

match out on en0 from any to 10.0.0.0/8 nat-to 127.0.0.1

I only want to route traffic for 10.0.0.0/8 through redsocks. I never found an option to specify the port .

And I'm also interested in learning more how redsocks works internally? If all traffic goes to one port how can it know where to forward the connection? Does the request to 127.0.0.1:12345 still contain the original headers?

1. lock() pid-file to check if the process is still alive
2. remove pidfile on shutdown

Hi,

thanks for your redsocks first!

But can there be a feature to define "parent" tcp-port of proxy-server based on destination ip, network as there are probably multiple redsocks block allowed?

Current:

redsocks {
local_ip = 0.0.0.0;
local_port = 12345;
ip = 127.0.0.1;
port = 1081;
type = socks5;
}

We would like:

redsocks {
local_ip = 0.0.0.0;
local_port = 12345;
dest_ip = 192.168.1.10
ip = 127.0.0.1;
port = 1081;
type = socks5;
}

redsocks {
local_ip = 0.0.0.0;
local_port = 12345;
dest_net = 10.3.37.0/24
ip = 127.0.0.1;
port = 1082;
type = socks5;
}

It would be great! Thanks.

Hi there!
Thank you very much for UDP-support but actually there is a little lack of documentation about how it works. Darkk wrote that there may be a way to dynamicly redirect udp packets with the help of libnetfilter_conntrack but it would be nice if there would be a howto or an example.

It would be great! Thanks.

Hello,

Currently, I'm trying to have a DNS which send back my Squid IP when querying some URL
I also configured redsocks to listen to 443 port and to use 'http-connect" to transfer the connection to my Squid proxy but I realized that the "CONNECT" HTTP header use IP instead of FQDN (so IP of the Squid box, so not the domain I'm trying to redirect the HTTPS connection to.

Would it be possible to "build" the HTTP header "CONNECT" with the FQDN instead of the IP?

(sorry for my English, I'm not a native speaker)

It would be nice to avoid accept()/close() pair when the destination is down or refuses connection.

Current behavior may confuse user and makes transparent proxy not-so-transparent.

See http://librelist.com/browser//redsocks/2012/7/31/a-redsocks-detail-question/

Hello,

It seems the code is not compatible with recent OpenBSD version (note that I didn't try with older versions).

cc -g -O2 -std=gnu99 -Wall -c -o parser.o parser.c
parser.c: In function 'vp_in_addr':
parser.c:304: error: 'AI_ADDRCONFIG' undeclared (first use in this function)
parser.c:304: error: (Each undeclared identifier is reported only once
parser.c:304: error: for each function it appears in.)
gmake: *** [parser.o] Error 1

Run the log size limit increased functionality

Redsocks compiles just fine on my Debian installation, but there is an issue if I try to run it. Not sure if this is limited to just a specific version of Debian (mine is 8.1) but I reproduced this issue on several machines. When I try to run it, I get this message:
$ ./redsocks -c redsocks.conf
1436994266.548607 base.c:352 base_init(...) getgrnam(nobody): Success
And no workers start up for Redsocks. Printing out the input to getgrnam(group), I noticed that the group value is nobody, which is not a valid group. By changing the input to nogroup, I was able to start Redsocks.

While running resocks for one/two days, it stops providing service and generates error: too many open files.
After investigation, i believe this issue is caused by hung connections in some cases.

Here is dump for redsocks which runs for less than a day.

Aug 13 14:03:47 OpenWrt daemon.debug redsocks[3823]: Dumping client list for instance 0x426288:
Aug 13 14:03:47 OpenWrt daemon.debug redsocks[3823]: End of client list.
Aug 13 14:03:47 OpenWrt daemon.debug redsocks[3823]: Dumping client list for instance 0x426168:
Aug 13 14:03:47 OpenWrt daemon.debug redsocks[3823]: [192.168.10.101:41502->74.125.71.132:80]: client: 63 (-/W) SHUT_RD, relay: 64 (-/-) SHUT_WR, age: 19578 sec, idle: 19525 sec.
Aug 13 14:03:47 OpenWrt daemon.debug redsocks[3823]: [192.168.10.101:46380->74.125.71.132:80]: client: 57 (-/W) SHUT_RD, relay: 58 (-/-) SHUT_WR, age: 19578 sec, idle: 19525 sec.
Aug 13 14:03:47 OpenWrt daemon.debug redsocks[3823]: [192.168.10.101:60613->74.125.71.132:80]: client: 55 (-/W) SHUT_RD, relay: 56 (-/-) SHUT_WR, age: 19578 sec, idle: 19525 sec.
Aug 13 14:03:47 OpenWrt daemon.debug redsocks[3823]: [192.168.10.101:38119->74.125.71.120:80]: client: 53 (-/W) SHUT_RD, relay: 54 (-/-) SHUT_WR, age: 19578 sec, idle: 19525 sec.
Aug 13 14:03:47 OpenWrt daemon.debug redsocks[3823]: [192.168.10.101:47581->74.125.71.132:80]: client: 49 (-/W) SHUT_RD, relay: 50 (-/-) SHUT_WR, age: 19581 sec, idle: 19578 sec.
Aug 13 14:03:47 OpenWrt daemon.debug redsocks[3823]: [192.168.10.101:37708->74.125.71.132:80]: client: 47 (-/W) SHUT_RD, relay: 48 (-/-) SHUT_WR, age: 19581 sec, idle: 19578 sec.
Aug 13 14:03:47 OpenWrt daemon.debug redsocks[3823]: [192.168.10.101:47209->74.125.71.132:80]: client: 45 (-/W) SHUT_RD, relay: 46 (-/-) SHUT_WR, age: 19581 sec, idle: 19578 sec.
Aug 13 14:03:47 OpenWrt daemon.debug redsocks[3823]: [192.168.10.101:53661->74.125.71.120:80]: client: 41 (-/W) SHUT_RD, relay: 42 (-/-) SHUT_WR, age: 19581 sec, idle: 19578 sec.
root@OpenWrt:# cat /proc/net/sockstat
sockets: used 75
TCP: inuse 6 orphan 0 tw 2 alloc 46 mem 1
UDP: inuse 2
UDPLITE: inuse 0
RAW: inuse 0
FRAG: inuse 0 memory 0
root@OpenWrt:#

Hi, I'm trying to connect to i2p network through a ssh tunnel.
So I have a ssh session to my external server:

ssh -vvv -ND localhost:1234 user@my_server

I have this iptables rules:

iptables --flush REDSOCKS

#iptables -F
#iptables -X
#iptables -t nat -F
#iptables -t nat -X
#iptables -t mangle -F
#iptables -t mangle -X
#iptables -P INPUT ACCEPT
#iptables -P FORWARD ACCEPT
#iptables -P OUTPUT ACCEPT

iptables -t nat -N REDSOCKS

iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN

iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
iptables -t nat -A REDSOCKS -p udp -j REDIRECT --to-ports 12346

iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner anon -j REDSOCKS
iptables -t nat -A OUTPUT -p udp -m owner --gid-owner anon -j REDSOCKS

iptables -v -t nat -A PREROUTING --in-interface eth0 -p tcp -j REDSOCKS
iptables -v -t nat -A PREROUTING --in-interface eth0 -p udp -j REDSOCKS

And I have this /etc/redsocks.conf:

base {
    log_debug = off;
    log_info = on;
    log = "syslog:daemon";
    daemon = on;
    user = redsocks;
    group = redsocks;
    redirector = iptables;
}

redsocks {
    local_ip = 127.0.0.1;
    local_port = 12345;
    ip = 127.0.0.1;
    port = 1234;
    type = socks5;
}

redudp {
    local_ip = 127.0.0.1;
    local_port = 12346;
    ip = 127.0.0.1;
    port = 1234;
    udp_timeout = 30;
    udp_timeout_stream = 180;
}

dnstc {
    local_ip = 127.0.0.1;
    local_port = 5300;
}

I launch i2p router as:

sg anon -c 'i2prouter start'

Redsocks logs says:

Feb 19 15:19:04 local redsocks[1036]: [192.168.1.10:1290->127.0.0.1:0]: got 1st packet from client
Feb 19 15:19:04 local redsocks[1036]: [192.168.1.10:1290->127.0.0.1:0]: redudp_relay_error
Feb 19 15:19:04 local redsocks[1036]: [192.168.1.10:1290->127.0.0.1:0]: Dropping...
Feb 19 15:19:06 local redsocks[1036]: [192.168.1.10:14611->127.0.0.1:0]: got 1st packet from client
Feb 19 15:19:06 local redsocks[1036]: [192.168.1.10:14611->127.0.0.1:0]: redudp_relay_error
Feb 19 15:19:06 local redsocks[1036]: [192.168.1.10:14611->127.0.0.1:0]: Dropping...

I get an i2p error why I can't send UDP packets.
What is wrong?

Regards.

Hi,

I can't compile redsocks on FreeBSD 9, this is the error I get:

# make
"Makefile", line 10: Need an operator
"Makefile", line 79: Need an operator
make: fatal errors encountered -- cannot continue

Is it possible to patch it?
Thanks

Hey Guys
i have ubuntu 14 / installed with redsocks and i have about 2 socks servers that authorize my server public ip.

i 2 private subnets
192.168.10.0/24
and
#192.168.20.0/24

root@VPNSOCKS:~# ifconfig
eth0 Link encap:Ethernet HWaddr 04:01:61:49:10:01
inet addr:xxxxx.231.2 Bcast:104.236.255.255 Mask:255.255.192.0
inet6 addr: fe80::601:61ff:fe49:1001/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:330652 errors:0 dropped:0 overruns:0 frame:0
TX packets:343397 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:169157110 (169.1 MB) TX bytes:75439675 (75.4 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:785404 errors:0 dropped:0 overruns:0 frame:0
TX packets:785404 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:47633173 (47.6 MB) TX bytes:47633173 (47.6 MB)

tap_axp1 Link encap:Ethernet HWaddr 00:ac:ac:fd:31:28
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::2ac:acff:fefd:3128/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:31 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:298 (298.0 B) TX bytes:1818 (1.8 KB)

tap_axp2 Link encap:Ethernet HWaddr 00:ac:4a:cf:93:1f
inet addr:192.168.20.1 Bcast:192.168.20.255 Mask:255.255.255.0
inet6 addr: fe80::2ac:4aff:fecf:931f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:172 (172.0 B) TX bytes:1062 (1.0 KB)

now what i need ?

all i need is if the source ip was from subnet ip 192.168.10.0/24 i want to send it to socks 1

if source ip was from ip 192.168.20.0/24 i want it to go to socks 2

here is my config

root@VPNSOCKS:~# /etc/init.d/redsocks restart

• Restarting redsocks redsocks
  ...done.
  root@VPNSOCKS:~#

  root@VPNSOCKS:~# /etc/init.d/redsocks restart
• Restarting redsocks redsocks
  ...done.
  root@VPNSOCKS:~# cat /etc/redsocks.conf
  base {
  // debug: connection progress & client list on SIGUSR1
  //log_debug = off;
  log_debug = on;
  // info: start and end of client session
  log_info = on;

/* possible `log' values are:

• stderr
• "file:/path/to/file"
• syslog:FACILITY facility is any of "daemon", "local0"..."local7"
  */
  //log = "syslog:daemon";
  log = "file:/var/log/redsocks";
  // detach from console
  daemon = on;

/* Change uid, gid and root directory, these options require root

• privilegies on startup.
• Note, your chroot may requre /etc/localtime if you write log to syslog.
• Log is opened before chroot & uid changing.
  */
  user = redsocks;
  group = redsocks;
  // chroot = "/var/chroot";

/* possible `redirector' values are:

• iptables - for Linux
• ipf - for FreeBSD
• pf - for OpenBSD
• generic - some generic redirector that MAY work
  */
  redirector = iptables;
  }

redsocks {
/* `local_ip' defaults to 127.0.0.1 for security reasons,

• use 0.0.0.0 if you want to listen on every interface.
• `local_*' are used as port to redirect to.
  */
  local_ip = xx.231.2;
  local_port = 12345;

// ip' andport' are IP and tcp-port of proxy-server
// You can also use hostname instead of IP, only one (random)
// address of multihomed host will be used.
ip =xx.66.10;
port = 1221;

// known types: socks4, socks5, http-connect, http-relay
type = socks5;

// login = "foobar";
// password = "baz";
}
//////////////////////////////////
redsocks {
/* `local_ip' defaults to 127.0.0.1 for security reasons,

• use 0.0.0.0 if you want to listen on every interface.
• `local_*' are used as port to redirect to.
  */
  local_ip = xxx.231.2;
  local_port = 12346;

// ip' andport' are IP and tcp-port of proxy-server
// You can also use hostname instead of IP, only one (random)
// address of multihomed host will be used.
ip = xxx.66.11;
port = 1221;

// known types: socks4, socks5, http-connect, http-relay
type = http-connect;

// login = "foobar";
// password = "baz";
}
redudp {
// `local_ip' should not be 0.0.0.0 as it's also used for outgoing
// packets that are sent as replies - and it should be fixed
// if we want NAT to work properly.
local_ip = 127.0.0.1;
local_port = 10053;

// ip' andport' of socks5 proxy server.
ip = 192.0.2.1;
port = 1080;
login = username;
password = pazzw0rd;

// kernel does not give us this information, so we have to duplicate it
// in both iptables rules and configuration file. By the way, you can
// set `local_ip' to 127.45.67.89 if you need more than 65535 ports to
// forward ;-)
// This limitation may be relaxed in future versions using contrack-tools.
dest_ip = 192.0.2.2;
dest_port = 53;

udp_timeout = 30;
udp_timeout_stream = 180;
}

dnstc {
// fake and really dumb DNS server that returns "truncated answer" to
// every query via UDP, RFC-compliant resolver should repeat same query
// via TCP in this case.
local_ip = 127.0.0.1;
local_port = 5300;
}

// you can add more redsocks' andredudp' sections if you need.

iptables rules :

sudo iptables -t nat -N REDSOCKS

sudo iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -p tcp -s 192.168.10.0/24 --dport 80 -j REDIRECT --to-ports 12345
sudo iptables -t nat -A REDSOCKS -p tcp -s 192.168.20.0/24 --dport 80 -j REDIRECT --to-ports 12346
sudo iptables -t nat -A OUTPUT -p tcp -o eth0 -j REDSOCKS

with the config above , it dont work and i cant tunnel tcp tunnel http traffic to the 2 socks servers i have !!! ??
i want to know what i need to do ?