Jan 282012
 

SOCKet Secure (SOCKS) is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS5 additionally provides authentication so only authorized users may access a server. Practically, a SOCKS server will proxy TCP connections to an arbitrary IP address as well as providing a means for UDP packets to be forwarded.

As SOCKS (as it was already marked above) transfers all data from a client to a server, nothing adding from itself, from the point of view of a web-server, a socks proxy is a client. Therefore anonymity of this type of proxy servers is really always absolute.

In this article we’ll see how to use redsocks to achieve a SOCKS proxy.



Redsocks allows you to redirect any TCP connection to SOCKS or HTTPS proxy using your firewall, so redirection is system-wide.

Another related issue is DNS over TCP. Redsocks includes `dnstc’ that is fake and really dumb DNS server that returns “truncated answer” to every query via
UDP. RFC-compliant resolver should repeat same query via TCP in this case – so the request can be redirected using usual redsocks facilities.

Why is that useful? these are some examples of use:

  • you use tor and don’t want any TCP connection to leak
  • you use DVB ISP and this ISP provides internet connectivity with some special daemon that may be also called “Internet accelerator” and this accelerator acts as proxy. Globax is example of such an accelerator

Linux/iptables, OpenBSD/pf and FreeBSD/ipfw are supported. Linux/iptables is well-tested, other implementations may have bugs.

Installation e basic configuration

For Debian/Ubuntu open a terminal and run:

sudo apt-get install iptables git-core libevent libevent-dev
git clone http://github.com/darkk/redsocks.git
cd redsocks/
make
echo 'base{log_debug = on; log_info = on; log = "file:/tmp/reddi.log";
       daemon = on; redirector = iptables;}
       redsocks { local_ip = 127.0.0.1; local_port = 31338; ip = 127.0.0.1;
       port = 31337; type = socks5; }' > redsocks.conf
./redsocks -c redsocks.conf

For Redhat/Centos/Fedora open a terminal and run :

yum install iptables libevent libevent-dev
wget -O redsocks --no-check-certificate https://github.com/darkk/redsocks/zipball/master
unzip redsocks
cd /usr/local/redsocks/darkk-redsocks-8839230  #the number could change in the future.
make
echo 'base{log_debug = on; log_info = on; log = "file:/tmp/reddi.log";
       daemon = on; redirector = iptables;}
       redsocks { local_ip = 127.0.0.1; local_port = 31338; ip = 127.0.0.1;
       port = 31337; type = socks5; }' > redsocks.conf
./redsocks -c redsocks.conf

This basic configuration set a socks5 proxy on localhost port 31337.

Iptables configuration

Now we need to configure our local firewall with the following rules, I suggest to put them in a file and then run it.

#!/bin/bash
# Create new chain
iptables -t nat -N REDSOCKS
 
# Ignore LANs and some other reserved addresses.
iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
 
# Anything else should be redirected to port 31338
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 31338
 
# Any tcp connection made by `linuxaria' should be redirected, put your username here.
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner linuxaria -j REDSOCKS


Start and Stop of redsocks

To start redsocks and iptables

/path/tothe/bin/redsocks -c redsocks.conf
/path/tothe/bin/iptables-redsocks.sh

To stop redsocks and iptables:

sudo iptables -F
sudo iptables -X 
sudo iptables -Z
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t nat -Z
killall redsocks

Conclusions

Now – all outbound traffic will be transparently mapped through redsocks to our socks5 proxy.
And thanks to iptables there is no need to adjust any application configurations !

Popular Posts:

flattr this!

  5 Responses to “Redirect all (TCP) traffic through transparent socks5 proxy in Linux”

  1. In the “Installation e basic configuration” section, your blogging software has converted “>” (greater-than) into “& gt ;” (without spaces – ampersand, “g”, “t”, semi-colon).

  2. You just made my life easier friend. Thanks! Now it won’t take long for me to figure everything. It’s all here. Just good.

  3. needed to do one more thing to work
    adduser -m redsocks

  4. i’ve got this when make

    Dans le fichier inclus à partir de parser.c:29:
    utils.h:6:19: erreur: event.h : Aucun fichier ou dossier de ce type
    In file included from parser.c:29:
    utils.h:43: attention : ‘struct evbuffer’ declared inside parameter list
    utils.h:44: erreur: expected declaration specifiers or ‘…’ before ‘evbuffercb’
    utils.h:44: erreur: expected declaration specifiers or ‘…’ before ‘everrorcb’
    make: *** [parser.o] Erreur 1

  5. hi
    thanks for the howto. i have one problem though:
    i cannot make connections from the host that runs the iptables and redsocks. i guess there are some iptables entries missing but i cant figure out which

    when i test with wget i get the following:

    wget -O - http://google.de/
    --2013-12-04 20:35:23-- http://google.de/
    Resolving google.de (google.de)... 173.194.113.159, 173.194.113.151, 173.194.113.152, ...
    Connecting to google.de (google.de)|173.194.113.159|:80... connected.
    HTTP request sent, awaiting response... No data received.
    Retrying.

    --2013-12-04 20:35:24-- (try: 2) http://google.de/
    Connecting to google.de (google.de)|173.194.113.159|:80... connected.
    HTTP request sent, awaiting response... No data received.
    Retrying.
    ...

    and so on

    any ideas?

    thanks
    smoe

 Leave a Reply

(required)

(required)


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>