heiher / hev-socks5-tproxy Goto Github PK

View Code? Open in Web Editor NEW

366.0 18.0 56.0 288 KB

A simple, lightweight socks5 transparent proxy for Linux. (IPv4/IPv6/TCP/UDP)

License: GNU General Public License v3.0

C 94.09% Makefile 5.91%

transparent-proxy tproxy linux docker tcp udp iptables nftables socks5-proxy

hev-socks5-tproxy's Introduction

HevSocks5TProxy

HevSocks5TProxy is a simple, lightweight transparent proxy for Linux.

Features

IPv4/IPv6. (dual stack)
Redirect TCP connections.
Redirect UDP packets. (Fullcone NAT, UDP in UDP/TCP)

                +---------------+      +---------------+
                | Socks5 Server |      | Upstream  DNS |
                +---------------+      +---------------+
                         ^                     ^
                         |                     |
                         +----------+----------+
                             uplink | (eth1)
                +-------------------o<-----------------+ (direct dns)
                |                   ^                  |
                |            socks5 |                  |
set ether daddr |    dns    +---------------+          |
rule routing    |?--------->| Socks5 TProxy |<---------+ (proxy dns)
ipset/tproxy    |  tcp/udp  +---------------+   tproxy |
                |                   | dns              |
                |                   v                  |
                |           +---------------+    dns   |
                |           |    DNSMasq    |----------+
   [nat/bridge] |           +---------------+
                |
                +-------------------o
                           downlink | (eth0)
                                    v
                            +---------------+
                            |   LAN  Host   |
                            +---------------+

How to Build

Linux

git clone --recursive https://github.com/heiher/hev-socks5-tproxy
cd hev-socks5-tproxy
make

Android

mkdir hev-socks5-tproxy
cd hev-socks5-tproxy
git clone --recursive https://github.com/heiher/hev-socks5-tproxy jni
cd jni
ndk-build

How to Use

Config

socks5:
  port: 1080
  address: 127.0.0.1
  # Socks5 UDP relay mode (tcp|udp)
  udp: 'udp'
  # Socks5 handshake using pipeline mode
# pipeline: false
  # Socks5 server username
  username: 'username'
  # Socks5 server password
  password: 'password'
  # Socket mark
  mark: 438

tcp:
  port: 1088
  address: '::'

udp:
  port: 1088
  address: '::'

# Proxy DNS for bridged mode
#   [address]:port <-> [upstream]:53 (dnsmasq)
dns:
  # DNS port
  port: 1053
  # DNS address
  address: '::'
  # DNS upstream
  upstream: 127.0.0.1

#misc:
#  task-stack-size: 16384 # task stack size (bytes)
#  connect-timeout: 5000 # connect timeout (ms)
#  read-write-timeout: 60000 # read-write timeout (ms)
#  log-file: stderr # stdout or file-path
#  log-level: warn # debug, info or error
#  pid-file: /run/hev-socks5-tproxy.pid
#  limit-nofile: 65535

Run

# Capabilities
setcap cap_net_admin,cap_net_bind_service+ep bin/hev-socks5-tproxy

bin/hev-socks5-tproxy conf/main.yml

Redirect rules

Type 1: NfTables

Netfilter

table inet mangle {
    set byp4 {
        typeof ip daddr
        flags interval
        elements = {
            0.0.0.0/8,
            10.0.0.0/8,
            100.64.0.0/10,
            127.0.0.0/8,
            169.254.0.0/16,
            172.16.0.0/12,
            192.0.0.0/24,
            192.0.2.0/24,
            192.88.99.0/24,
            192.168.0.0/16,
            198.18.0.0/15,
            198.51.100.0/24,
            203.0.113.0/24,
            224.0.0.0/4,
            240.0.0.0/4
        }
    }

    set byp6 {
        typeof ip6 daddr
        flags interval
        elements = {
            ::/128,
            ::1/128,
            ::ffff:0:0:0/96,
            64:ff9b::/96,
            100::/64,
            2001::/32,
            2001:20::/28,
            2001:db8::/32,
            2002::/16,
            fc00::/7,
            fe80::/10,
            ff00::/8
        }
    }

    chain prerouting {
        type filter hook prerouting priority mangle; policy accept;
        meta mark 0x438 return
        ip daddr @byp4 return
        ip6 daddr @byp6 return
        meta l4proto { tcp, udp } tproxy to :1088 meta mark set 0x440 accept
    }

    # Only for local mode
    chain output {
        type route hook output priority mangle; policy accept;
        meta mark 0x438 return
        ip daddr @byp4 return
        ip6 daddr @byp6 return
        meta l4proto { tcp, udp } meta mark set 0x440
    }
}

Routing

ip rule add fwmark 1088 table 100
ip route add local default dev lo table 100

ip -6 rule add fwmark 1088 table 100
ip -6 route add local default dev lo table 100

Type 2: IPTables

Bypass ipset

# IPv4
ipset create byp4 hash:net family inet hashsize 2048 maxelem 65536
ipset add byp4 0.0.0.0/8
ipset add byp4 10.0.0.0/8
ipset add byp4 100.64.0.0/10
ipset add byp4 127.0.0.0/8
ipset add byp4 169.254.0.0/16
ipset add byp4 172.16.0.0/12
ipset add byp4 192.0.0.0/24
ipset add byp4 192.0.2.0/24
ipset add byp4 192.88.99.0/24
ipset add byp4 192.168.0.0/16
ipset add byp4 198.18.0.0/15
ipset add byp4 198.51.100.0/24
ipset add byp4 203.0.113.0/24
ipset add byp4 224.0.0.0/4
ipset add byp4 240.0.0.0/4

# IPv6
ipset create byp6 hash:net family inet6 hashsize 1024 maxelem 65536
ipset add byp6 ::/128
ipset add byp6 ::1/128
ipset add byp6 ::ffff:0:0:0/96
ipset add byp6 64:ff9b::/96
ipset add byp6 100::/64
ipset add byp6 2001::/32
ipset add byp6 2001:20::/28
ipset add byp6 2001:db8::/32
ipset add byp6 2002::/16
ipset add byp6 fc00::/7
ipset add byp6 fe80::/10
ipset add byp6 ff00::/8

Netfilter and Routing

Gateway and Local modes

# IPv4
iptables -t mangle -A PREROUTING -m mark --mark 0x438 -j RETURN
iptables -t mangle -A PREROUTING -m set --match-set byp4 dst -j RETURN
iptables -t mangle -A PREROUTING -p tcp -j TPROXY --on-port 1088 --tproxy-mark 1088
iptables -t mangle -A PREROUTING -p udp -j TPROXY --on-port 1088 --tproxy-mark 1088

ip rule add fwmark 1088 table 100
ip route add local default dev lo table 100

# Only for local mode
iptables -t mangle -A OUTPUT -m mark --mark 0x438 -j RETURN
iptables -t mangle -A OUTPUT -m set --match-set byp4 dst -j RETURN
iptables -t mangle -A OUTPUT -p tcp -j MARK --set-mark 1088
iptables -t mangle -A OUTPUT -p udp -j MARK --set-mark 1088

# IPv6
ip6tables -t mangle -A PREROUTING -m mark --mark 0x438 -j RETURN
ip6tables -t mangle -A PREROUTING -m set --match-set byp6 dst -j RETURN
ip6tables -t mangle -A PREROUTING -p tcp -j TPROXY --on-port 1088 --tproxy-mark 1088
ip6tables -t mangle -A PREROUTING -p udp -j TPROXY --on-port 1088 --tproxy-mark 1088

ip -6 rule add fwmark 1088 table 100
ip -6 route add local default dev lo table 100

# Only for local mode
ip6tables -t mangle -A OUTPUT -m mark --mark 0x438 -j RETURN
ip6tables -t mangle -A OUTPUT -m set --match-set byp6 dst -j RETURN
ip6tables -t mangle -A OUTPUT -p tcp -j MARK --set-mark 1088
ip6tables -t mangle -A OUTPUT -p udp -j MARK --set-mark 1088

Contributors

hev - https://hev.cc
ihipop - https://ihipop.com
pexcn - [email protected]
spider84 - https://github.com/spider84

License

GPLv3

hev-socks5-tproxy's People

Contributors

Stargazers

Watchers

Forkers

vbfool jeffy2009 mmxnuaa zensec nginb zhanglang001 hobbit19 forgetsky jerryname2022 hcm82 pobizhe u20024804 fewpiwork xiao00kang crawping fastlyos iamcxl-tools spider84 wtfcsl credteam purplesparkle xdcs100 lnelias killvxk crackercat mandymak longamu streemline ihipop 5page ant1423 arryboom yufan666 clownsw chancat87 ding2chen liaohanqin kanwairen123 wc1217 kimmy-ho edwinpreston harvey-git xxmail stoneyzjw chinese-xingyi mvh97hg dogfight360 wantonsam rllbee gmh5225 ssdcpu coolriolee dyhkwong xuanntx90 sunlewuyou chengol

hev-socks5-tproxy's Issues

[Question] How can I forward traffic across network namespaces with hev-socks5-tproxy?

I'm trying to forward traffic across namespaces, basically I set up a transparent proxy inside a network namespace and forward the traffic to another one.

I create namespaces and set up all the rest with:

ip netns add nsx
ip netns add nsy
ip link add vethx type veth peer name peerx netns nsx
ip link set vethx up
ip address add 10.0.0.1/24 dev vethx
ip netns exec nsx ip link set peerx up
ip netns exec nsx ip address add 10.0.0.2/24 dev peerx
ip netns exec nsx ip link add vethy type veth peer name peery netns nsy
ip netns exec nsx ip link set vethy up
ip netns exec nsx ip address add 10.0.1.1/24 dev vethy
ip netns exec nsx sysctl -w net.ipv4.conf.peerx.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.conf.vethy.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.ip_forward=1
ip netns exec nsy ip link set peery up
ip netns exec nsy ip address add 10.0.1.2/24 dev peery
ip netns exec nsy ip route add default via 10.0.1.1 dev peery

Rules are added in the network namespace "nsx":

ip netns exec nsx ip rule add fwmark 1088 table 100
ip netns exec nsx ip route add local default dev vethy table 100

Iptables rule is added:

ip netns exec nsx iptables -t mangle -A PREROUTING -i vethy -p tcp -j TPROXY -s 10.0.1.2 --on-ip 10.0.0.1 --on-port 19040 --tproxy-mark 1088

But when I try to connect I get this:

root@localhost:/home/user# dig @1.1.1.1 duckduckgo.com
; <<>> DiG 9.18.1-1-Debian <<>> @1.1.1.1 duckduckgo.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

============================

So, what can be done to make the connection be made successfully?

Segmentation fault built with zig cc $ARCH-linux-musl

if the binary is built with zig cc ARCH-linux-musl, Segmentation fault in 2 cases

#20 (comment)

if change udp: 'udp' to udp: 'tcp', i know this mode only works with hev-socks5-server, it does not work with trojan-r socks5 listening. when sending a udp packet like dig @1.1.1.1 example.com (udp packet), hev-socks5-tproxy just exit with Segmentation fault, i know it will fail, but that could be handled better with some error message instead of exit with seg fault. (side note, in this case trojan-r log shows: socks: unsupported command 0x5), just some thoughts, not a big issue if one knows how to configure the udp: parameter.

#20 (comment)

i found another hev-socks5-tproxy Segmentation fault when upstream socks5 server stopped/killed/quit/no longer listening. can you reproduce this behavior on your side?

not effected when using zig cc ARCH-linux-gnu, tested zig version 0.11,0.12-dev

build arg

# STRIP=true disables strip in Makefile, as we have zig cc -s to strip
make clean ;
make \
CC='zig cc -flto -O3 -s -static -target aarch64-linux-musl' \
AR='zig ar' \
RANLIB='zig ranlib' \
STRIP=true \
-j

EDIT: issue fix by setting task-stack-size in config.yml equal or larger than 8193. Or even larger, e.g. : 16384 is preferred

where is `tproxy`

you said it can be running like
tproxy COMMAND
but where is the tproxy?

`[E] socks5 tproxy udp addr` confusing log message

when start hev-socks5-tproxy with this config:

socks5:
  port: 1080
  address: 127.0.0.1
  # Socks5 UDP relay mode (tcp|udp)
  udp: 'udp'
  # Socks5 server username
  #username: 'username'
  # Socks5 server password
  #password: 'password'
  # Socket mark
  #mark: 438

tcp:
  port: 1081
  address: '127.0.0.1'

udp:
  port: 1081
  address: '127.0.0.1'

# Redirect DNS to local server on gateway
#   [address]:port <-> [upstream]:53 (dnsmasq)
#dns:
  # DNS port
  #port: 1053
  # DNS address
  #address: '::'
  # DNS upstream
  #upstream: 127.0.0.1

misc:
#  task-stack-size: 8192 # task stack size (bytes)
#  connect-timeout: 5000 # connect timeout (ms)
#  read-write-timeout: 60000 # read-write timeout (ms)
#  log-file: stderr # stdout or file-path
  log-level: error # debug, info or warn or error
#  pid-file: /run/hev-socks5-tproxy.pid
  limit-nofile: 65535

upstream socks5 server is provided by pagefault's trojan-r client, everything works as expected. but hev-socks5-tproxy's log [E] socks5 tproxy udp addr is confusing, why is this an [E] error log?

by the way, i build hev-socks5-tproxy with this version: 6a85b48

可以默认直连吗？

iptable 方案
可以默认直连，加入 ipset 才代理吗？

能否加入超时判定功能？

依据链接时间判定是否走socks5接口，或者依据速率判定

hev-socks5-tproxy GUI for Andorid

hev-socks5-tproxy有安卓版本，不知道是否可以简化配置步骤，做成GUI，就像sockstun一样

当然前提条件是有root，另外还可以引入基于uid的过滤（--uid-owner）

consider using zig cc instead of musl.cc

With zig cc, there is no need to download tool chains, as zig cc is able to prepare/compile needed libc for various arch on the fly.

Build linux binary on macOS for instance:

make CC="zig cc -s -static -target x86_64-linux-musl" AR="zig ar"

reference

Is "really" transparent proxy?

redsocks说明自己并不是真实的透明代理：redsocks acts at TCP level, so three-way handshake is completed and redsocks accepts connection before connection through proxy (and to proxy) is established。我想问下这个项目也是这样的吗？

readme很费解,请说明

看了下readme，几处很费解
1 redirect rule部分需要手动运行吗?
2 运行什么命令可以让普通程序使用sock5?
比如proxychains curl google.com,你的命令是什么?readme没写

work with trojan socks5

one of the good idea of hev-socks5-tproxy is that it's upd tproxy is routed over tcp, which works quite well with Chrome youtube QUIC traffic in this way : [tproxy - socks5 upstream 10808] - > [trojan forward mode : localhost 10808 to remote localhost 1080] - [trojan server 443] - [hev socks5 server port 1080]

is it possible to work directly with trojan client mode socks5 listening somehow?

No Encryption?

It's easy to get detected by GFW, do you think?

proxy DNS requests through socks5

Hello, is it possible to use the remote socks5 endpoint as the DNS resolver?
Or does it already work that way?

DNS解析

您好作者，请问DNS配置节 port , address,upstream,如何填写。是否需要本地安装dnsmasq类似DNS解析转发器使用。
希望您百忙之中抽空解答一下我的问题，谢谢。

[Request] Please clarify LICENSE status and add LICENSE file/headers

README says the LICENSE is "LGPL", but it's still unclear which version of "LGPL" is actually in use and to which scope the license applies.

So please at least add a LICENSE file, see https://opensource.org/licenses/lgpl-license for available LGPL license candidates.

Some of the dependencies (git submodules) of this also have similar problem.

You might want to add a compatible LICENSE for those projects as well to meet LGPL v* requirements.

Can't forward UDP to a subnet

I want to forward UDP to a subnet, but I can't get connectivity.

I have been using this rules:


ip rule add fwmark 1088 table 100
ip route add local default dev eth2 table 100

iptables -t mangle -A OUTPUT -o eth2 -p udp -j MARK --set-mark 1088
iptables -t mangle -A PREROUTING -i eth2 -p udp -j TPROXY --on-ip 10.0.0.1 --on-port 10000 --tproxy-mark 1088

eth2 has 10.0.0.1 as IP.

In the socks5 proxy this log is showed, it tells the connection was done successfully:

# glider -verbose -listen socks5://127.0.0.1:9000
2021/10/08 21:16:03 group.go:186: [group] only 1 forwarder found, disable health checking
2021/10/08 21:16:03 server.go:38: [socks5] listening TCP on 127.0.0.1:9000
2021/10/08 21:16:03 server.go:107: [socks5] listening UDP on 127.0.0.1:9000
2021/10/08 21:16:13 server.go:150: [socks5u] 127.0.0.1:39434 <-> 1.1.1.1:53 via DIRECT
2021/10/08 21:17:16 server.go:150: [socks5u] 127.0.0.1:57056 <-> 1.1.1.1:53 via DIRECT

am I doing something wrong?

[Question] Forwarding to hev-socks5-tproxy listening on a non-local address (router) doesn't work.

I installed hev-socks5-tproxy in my router.

The router has the address 192.168.1.1 and my PC has the address 192.168.1.33. Also, I have a local bridge "virbr0" in PC side that forwards traffic to a virtual machine, having it the gateway address 192.168.11.1 and peer address 192.168.11.2.

In the PC side:

ip rule add fwmark 1088 table 100
ip route add local default dev virbr0 table 100
iptables -t mangle -A PREROUTING -i virbr0 -p tcp -j TPROXY -s 192.168.11.2 --on-ip 192.168.0.1 --on-port 1088 --tproxy-mark 1088

When I try to curl any IP in the virtual machine side (192.168.11.2) I get timeouts, seeing the Wireshark logs, any packet is forwarded from my PC to the router.

And when I change the address of "--on-ip" to 127.0.0.1 and run hev-socks5-tproxy locally listening on 127.0.0.1:1088 everything works ok.

How can I make the TPROXY option in iptables "see" the address of the router (192.168.1.1) and connect?

PS.: I don't know if TPROXY was designed to work with non-local addresses when sending the packets, but I searched a lot in Google and I could see examples of TPROXY using non-local addresses, but when I try to reproduce the examples, nothing works.

请问这里发行的版本是否可以直接用在openwrt上？

我直接将命令复制到了op里面，配合socks5客户端使用，但一直无法成功，不知道是什么原因。
执行 hs5t CONFIG_FILE，得到如下输出，不知道是否正常？
之所以这么问是看到您还有一个库是专门针对openwrt的版本，不过似乎很久没更新。

[2023-04-29 15:20:13] [E] 0x7f4c3ceb5e00 socks5 client read response
[2023-04-29 15:20:13] [E] 0x7f4c3ceb5e00 socks5 session handshake
[2023-04-29 15:20:13] [E] 0x7f4c3cece6b0 socks5 client read response
[2023-04-29 15:20:13] [E] 0x7f4c3cece6b0 socks5 session handshake
[2023-04-29 15:20:13] [E] 0x7f4c3ceb5c20 socks5 client read response
[2023-04-29 15:20:13] [E] 0x7f4c3ceb5c20 socks5 session handshake
[2023-04-29 15:20:13] [E] 0x7f4c3cece750 socks5 client read response
[2023-04-29 15:20:13] [E] 0x7f4c3cece750 socks5 session handshake

单独使用socks5客户端，经测试是可用的。
op上使用nftables，防火墙规则用其他代理redir没问题，不太熟tproxy规则，不过也是参照了您的教程和网上的教程，感觉是对的。
尝试过这里的多个版本，都不成功，盼指教。

heiher / hev-socks5-tproxy Goto Github PK

hev-socks5-tproxy's Introduction

HevSocks5TProxy

How to Build

Linux

Android

How to Use

Config

Run

Redirect rules

Type 1: NfTables

Netfilter

Routing

Type 2: IPTables

Bypass ipset

Netfilter and Routing

Contributors

License

hev-socks5-tproxy's People

Contributors

Stargazers

Watchers

Forkers

hev-socks5-tproxy's Issues

Recommend Projects

Recommend Topics

Recommend Org