nobles5e / cproxy Goto Github PK

Easy per application transparent proxy built on cgroup.

License: GNU Affero General Public License v3.0

Rust 100.00%

v2ray transparent-proxy proxy proxychains shadowsocks tproxy

cproxy's Introduction

cproxy can redirect TCP and UDP traffic made by a program to a proxy, without requiring the program supporting a proxy.

What you can achieve with cproxy: All the things listed on for example V2Ray Guide, including advanced configurations like reverse proxy for NAT traversal, and you can apply different proxy on different applications.

Compared to many existing complicated transparent proxy setup, cproxy usage is as easy as proxychains, but unlike proxychains, it works on any program (including static linked Go programs) and redirects DNS requests.

Note: The proxy used by cproxy should be a transparent proxy port (such as V2Ray's dokodemo-door inbound and shadowsocks ss-redir). A good news is that even if you only have a SOCKS5 or HTTP proxy, there are tools that can convert it to a transparent proxy for you (for example, transocks , ipt2socks and ip2socks-go).

Installation

You can install by downloading the binary from the release page or install with cargo:

cargo install cproxy
chown root:root $(which cproxy) && chmod +s $(which cproxy)

Usage

Simple usage: just like `proxychains`

You can launch a new program with cproxy with:

cproxy --port <destination-local-port> -- <your-program> --arg1 --arg2 ...

All TCP connections requests will be proxied. If your local transparent proxy support DNS address overriding, you can also redirect DNS traffic with --redirect-dns:

cproxy --port <destination-local-port> --redirect-dns -- <your-program> --arg1 --arg2 ...

For an example setup, see wiki.

Simple usage: use iptables tproxy

If your system support tproxy, you can use tproxy with --mode tproxy:

cproxy --port <destination-local-port> --mode tproxy -- <your-program> --arg1 --arg2 ...
# or for existing process
cproxy --port <destination-local-port> --mode tproxy --pid <existing-process-pid>

With --mode tproxy, there are several differences:

All UDP traffic are proxied instead of only DNS UDP traffic to port 53.
Your V2Ray or shadowsocks service should have tproxy enabled on the inbound port. For V2Ray, you need "tproxy": "tproxy" as in V2Ray Documentation. For shadowsocks, you need -u as shown in shadowsocks manpage.

An example setup can be found here.

Note that when you are using the tproxy mode, you can override the DNS server address with cproxy --mode tproxy --override-dns <your-dns-server-addr> .... This is useful when you want to use a different DNS server for a specific application.

Advanced usage: proxy an existing process

With cproxy, you can even proxy an existing process. This is very handy when you want to proxy existing system services such as docker. To do this, just run

cproxy --port <destination-local-port> --pid <existing-process-pid>

The target process will be proxied as long as this cproxy command is running. You can press Ctrl-C to stop proxying.

Advanced usage: debug a program's network activity with iptables LOG target

With cproxy, you can easily debug a program's traffic in netfilter. Just run the program with

cproxy --mode trace <your-program>

You will be able to see log in dmesg. Note that this requires a recent enough kernel and iptables.

How does it work?

cproxy creates a unique cgroup for the proxied program, and redirect its traffic with packet rules.

Limitations

cproxy requires root access to modify cgroup.
Currently only tested on Linux.

Similar projects

There are some awesome existing work:

graftcp: work on most programs, but cannot proxy UDP (such as DNS) requests. graftcp also has performance hit on the underlying program, since it uses ptrace.
proxychains: easy to use, but not working on static linked programs (such as Go programs).
proxychains-ng: similar to proxychains.
cgproxy: cgproxy also uses cgroup to do transparent proxy, and the idea is similar to cproxy's. There are some differences in UX and system requirements:
- cgproxy requires system cgroup v2 support, while cproxy works with both v1 and v2.
- cgproxy requires a background daemon process cgproxyd running, while cproxy does not.
- cgproxy requires tproxy, which is optional in cproxy.
- cgproxy can be used to do global proxy, while cproxy does not intended to support global proxy.

cproxy's People

Contributors

Stargazers

Watchers

Forkers

zjsxwc gotounix rustbunker magneval nujz dkingalpha nugine light4 blacknon deltared1a acodervic zzsoszz newrain7803 old101 geekhuyang

cproxy's Issues

provide option to overide dns server in tproxy mode

So that we can use a different dns server instead of /etc/resolv.conf in the proxied process.

[Feature request] target a specific interface

It'll be like:

curl ifconfig.me --interface eth1

With cproxy¹:

cproxy --interface eth1 -- curl ifconfig.me

Route the traffic over specific interface for a process in linux with Cgroups2 ↩

panicked error

$uname -a
Linux LightgrayBleak-VM 5.4.0-131-generic #147-Ubuntu SMP Fri Oct 14 17:07:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

$iptables -V
iptables v1.8.4 (legacy)

$ls /sys/fs/cgroup/
blkio  cpuacct      cpuset   freezer  memory   net_cls,net_prio  perf_event  rdma     unified
cpu    cpu,cpuacct  devices  hugetlb  net_cls  net_prio          pids        systemd

$cproxy --port 59999 --mode tproxy -- curl 1.1.1.1
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Error { kind: RemoveFailed, cause: Some(Os { code: 16, kind: ResourceBusy, message: "Resource busy" }) }', src/guards.rs:41:26
stack backtrace:
   0:     0x7fb3eb0bfea0 - std::backtrace_rs::backtrace::libunwind::trace::hb16dbf761681cfc0
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/../../backtrace/src/backtrace/libunwind.rs:90:5
   1:     0x7fb3eb0bfea0 - std::backtrace_rs::backtrace::trace_unsynchronized::h53bc5f57122de54d
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x7fb3eb0bfea0 - std::sys_common::backtrace::_print_fmt::h7e86959aa36cde43
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/sys_common/backtrace.rs:67:5
   3:     0x7fb3eb0bfea0 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::hf42958820747a8ac
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/sys_common/backtrace.rs:46:22
   4:     0x7fb3eb0f96ac - core::fmt::write::h6f5ededa5074697e
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/fmt/mod.rs:1115:17
   5:     0x7fb3eb0bd375 - std::io::Write::write_fmt::hdb84dc6c28fda870
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/io/mod.rs:1665:15
   6:     0x7fb3eb0c21cb - std::sys_common::backtrace::_print::hbb646398d13d0dcb
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/sys_common/backtrace.rs:49:5
   7:     0x7fb3eb0c21cb - std::sys_common::backtrace::print::ha3796c9cf0c5a732
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/sys_common/backtrace.rs:36:9
   8:     0x7fb3eb0c21cb - std::panicking::default_hook::{{closure}}::hb85a09d7e9a16432
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:208:50
   9:     0x7fb3eb0c1ca1 - std::panicking::default_hook::hdc924e74cb190bbb
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:225:9
  10:     0x7fb3eb0c2894 - std::panicking::rust_panic_with_hook::hd63b080e78590a80
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:622:17
  11:     0x7fb3eb0c2377 - std::panicking::begin_panic_handler::{{closure}}::h27bfba1f7e931f90
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:519:13
  12:     0x7fb3eb0c033c - std::sys_common::backtrace::__rust_end_short_backtrace::h2cc025f6c95b1f82
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/sys_common/backtrace.rs:141:18
  13:     0x7fb3eb0c22d9 - rust_begin_unwind
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:515:5
  14:     0x7fb3eaf32081 - core::panicking::panic_fmt::h9f5a85773697c5f5
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/panicking.rs:92:14
  15:     0x7fb3eaf32173 - core::result::unwrap_failed::h43465fb8e3273283
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/result.rs:1599:5
  16:     0x7fb3eaf33c3a - <cproxy::guards::CGroupGuard as core::ops::drop::Drop>::drop::he0f5772e67446932
  17:     0x7fb3eaf723dd - core::ptr::drop_in_place<cproxy::guards::TProxyGuard>::h5bc32170f22a3d77
  18:     0x7fb3eaf75398 - cproxy::main::h7becfa773d4442f6
  19:     0x7fb3eaf77e53 - std::sys_common::backtrace::__rust_begin_short_backtrace::h51261908630a884f
  20:     0x7fb3eaf65f9d - std::rt::lang_start::{{closure}}::h670ee57be18ae9fa
  21:     0x7fb3eb0c2cf0 - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h5edb75ac3af12064
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/ops/function.rs:259:13
  22:     0x7fb3eb0c2cf0 - std::panicking::try::do_call::h4398f4e6da05592f
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:401:40
  23:     0x7fb3eb0c2cf0 - std::panicking::try::h3fe03463ab3f9a9d
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:365:19
  24:     0x7fb3eb0c2cf0 - std::panic::catch_unwind::h3f31a496b3e5f0e5
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panic.rs:434:14
  25:     0x7fb3eb0c2cf0 - std::rt::lang_start_internal::{{closure}}::h24e3f631c8bb6bd5
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/rt.rs:45:48
  26:     0x7fb3eb0c2cf0 - std::panicking::try::do_call::h9268f45ee0925288
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:401:40
  27:     0x7fb3eb0c2cf0 - std::panicking::try::he93fcdbaacc3daf7
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:365:19
  28:     0x7fb3eb0c2cf0 - std::panic::catch_unwind::hca9f2323bf3773b4
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panic.rs:434:14
  29:     0x7fb3eb0c2cf0 - std::rt::lang_start_internal::hfee0032b3594c35b
                               at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/rt.rs:45:20
  30:     0x7fb3eaf75872 - main

[功能需求]是否可以增加选项使用局域网已有的socks5代理服务器？

举例局域网内已经有socks5代理 10.0.0.5:1080

是否可以增加选项使用局域网已有的这个socks5代理服务器？

例如使用格式是：
cproxy --ip 10.0.0.5 --port 1080 --redirect-dns --

谢谢！

iptables cannot be used with setuid

I've encountered iptables errors recently:

$ cproxy mpv xxxx
Error: Running ["iptables", "-t", "nat", "-N", "nozomi_redirect_out_23962"] exited with error; status code: 111

It may be related to a change introduced in iptables 1.8.8, that iptables cannot be called by a setuid executable. See https://git.netfilter.org/iptables/commit/?id=ef7781eb1437a2d6fd37eb3567c599e3ea682b96

I'm not sure how to deal with it, but I think Linux capabilities is an option.

curl wget 无法正常支持

$ curl -x 127.0.0.1:8888 ip.sb
91.200.242.210
$ sudo ./cproxy --port 8888  -- curl ip.sb
Bad Request
$ sudo ./cproxy --port 8888  -- wget google.com
--2022-10-14 15:56:45--  http://google.com/
Resolving google.com (google.com)... 142.250.204.142, 2404:6800:4005:80e::200e
Connecting to google.com (google.com)|142.250.204.142|:80... connected.
HTTP request sent, awaiting response... 400 Bad Request
2022-10-14 15:56:45 ERROR 400: Bad Request.

Error: iptables exit with 4

Error info :

└─# ./.cargo/bin/cproxy --port 60080 --redirect-dns -- bash
iptables v1.8.5 (nf_tables):  RULE_APPEND failed (Invalid argument): rule in chain nozomi_tproxy_out_2556086
Error: iptables -t nat -A nozomi_tproxy_out_2556086 -p tcp -m cgroup --path cproxy-2556086 -j REDIRECT --to-ports 60080 exit with 4
                                                                                                                                                                                  
┌──(root💀kali)-[/home/kali]
└─# iptables -t nat -nvL                                                                                                                                                      1 ⨯
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  465  106K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL
    0     0 nozomi_tproxy_out_2556086  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           

Chain nozomi_tproxy_out_2556086 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     udp  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     tcp  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            cgroup 2556086 redir ports 60080

my system info:

└─# uname -a
Linux kali 5.9.0-kali1-amd64 #1 SMP Debian 5.9.1-1kali2 (2020-10-29) x86_64 GNU/Linux

└─# ./.cargo/bin/cproxy --version                          
cproxy 4.1.2

└─# iptables --version   
iptables v1.8.5 (nf_tables)