AnswerBun.com

HTTP traffic thru redsocks service using iptables not working

Ask Ubuntu Asked on January 3, 2022

Am trying to redirect all my computer’s traffic thru my local redsocks service on port 12345. And though https is working for some reason http doesnt appear to be.

/etc/redsocks.conf

base {
    log_debug = on;
    log_info = on;
    log = "file:/var/log/redsocks.log";

    daemon = on;

    redirector = iptables;
}

redsocks {

    local_ip = 0.0.0.0;
    local_port = 12345;

    ip = proxy.uclv.cu;
    port = 3128;

    type = http-connect;

    login = "MyUser";
    password = "MyPassword";
}

iptables configuration

iptables -t nat -N REDSOCKS

iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 100.64.0.0/10 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 198.18.0.0/15 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN

# Anything should be redirected to port 12345
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

# Any tcp connection should be redirected to REDSOCKS chain
iptables -t nat -A OUTPUT -p tcp -j REDSOCKS

Executing command sudo iptables -v -x -n -L

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Executing command sudo iptables -t nat -nL

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REDSOCKS   tcp  --  0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain REDSOCKS (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/8           
RETURN     all  --  0.0.0.0/0            10.0.0.0/8          
RETURN     all  --  0.0.0.0/0            100.64.0.0/10       
RETURN     all  --  0.0.0.0/0            127.0.0.0/8         
RETURN     all  --  0.0.0.0/0            169.254.0.0/16      
RETURN     all  --  0.0.0.0/0            172.16.0.0/12       
RETURN     all  --  0.0.0.0/0            192.168.0.0/16      
RETURN     all  --  0.0.0.0/0            198.18.0.0/15       
RETURN     all  --  0.0.0.0/0            224.0.0.0/4         
RETURN     all  --  0.0.0.0/0            240.0.0.0/4         
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            redir ports 12345

If I try a https site such as https://google.com it works. But if it is a site like http://archive.ubuntu.com/ubuntu/ it doesn’t.

However if i change http-connect to http-relay in the redsocks config file the opposite happens.

Is there any way i can make both http and https work at the same time?

3 Answers

I used transocks (https://github.com/cybozu-go/transocks) instead of redsocks, my iptables config looks like that:

https://gist.github.com/andersondanilo/a28e7165fa8a9700d8ead20a224ecf44

example transocks config:

listen = "0.0.0.0:12345"

# Connect to HTTP Proxy
proxy_url = "http://USER:[email protected]:80"

# Connect to socks5 Proxy (you can create with ssh)
# proxy_url = "socks5://10.20.30.40:1080" 

[log]
level = "info"

script to configure iptables:

#!/usr/bin/bash

# Transocks: https://github.com/cybozu-go/transocks
# 1. Install: go get -u github.com/cybozu-go/transocks/...
# Note: depending on your vension of go, you will need the env: GO111MODULE=on
# 2. Create a "transocks" user
# 3. Execute: sudo -u transocks $HOME/go/bin/transocks -f transocks.toml

set -e
stty -echoctl

# Point to the transparent socket port (running in an exclusive user)
TRANSOCKS_PORT=12345
TRANSOCKS_USER=transocks

# Redirect all the network of your computer (except transocks user)
REDIRECT_LOCAL_NETWORK=1

# Redirect access point (wifi hotspot)
AP_SUBNET_ENABLED=1
AP_SUBNET_IFACE=ap0
AP_SUBNET_RANGE="192.168.12.0/24"

function action_up()
{
    echo "-----------------------------"
    echo "# Adding iptables chain rules"
    echo "-----------------------------"
    iptables -v -t nat -N TRANSOCKS
    iptables -v -t nat -A TRANSOCKS -d 0.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 10.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 100.64.0.0/10 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 127.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 169.254.0.0/16 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 172.16.0.0/12 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 192.168.0.0/16 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 198.18.0.0/15 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 224.0.0.0/4 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 240.0.0.0/4 -j RETURN
    iptables -v -t nat -A TRANSOCKS -p tcp -j REDIRECT --to-ports $TRANSOCKS_PORT

    if [ "$REDIRECT_LOCAL_NETWORK" = 1 ]; then
        echo "--------------------------------"
        echo "# Redirecting non-transocks user"
        echo "--------------------------------"
        iptables -v -t nat -A OUTPUT -p tcp -m owner ! --uid-owner $TRANSOCKS_USER -j TRANSOCKS
    fi

    if [ "$AP_SUBNET_ENABLED" = 1 ]; then
        echo "-----------------------"
        echo "# Redirecting AP subnet"
        echo "-----------------------"
        iptables -v -t nat -I PREROUTING -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -j TRANSOCKS
        iptables -v -I INPUT -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -p tcp -m tcp --dport $TRANSOCKS_PORT -j ACCEPT
    fi
}

function action_down()
{
    if [ "$REDIRECT_LOCAL_NETWORK" = 1 ]; then
        echo "------------------------------"
        echo "# Cleaning non-transocks rules"
        echo "------------------------------"
        iptables -v -t nat -D OUTPUT -p tcp -m owner ! --uid-owner $TRANSOCKS_USER -j TRANSOCKS
    fi

    if [ "$AP_SUBNET_ENABLED" = 1 ]; then
        echo "--------------------------"
        echo "# Cleaning AP subnet rules"
        echo "--------------------------"
        iptables -v -t nat -D PREROUTING -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -j TRANSOCKS
        iptables -v -D INPUT -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -p tcp -m tcp --dport $TRANSOCKS_PORT -j ACCEPT
    fi

    echo "-----------------------------"
    echo "# Cleaning and removing chain"
    echo "-----------------------------"
    iptables -v -F TRANSOCKS -t nat
    iptables -v -X TRANSOCKS -t nat
}

trap 'action_down' SIGINT

action_up

echo
echo "Hit Ctrl+C to remove the ip table rules"
echo


while :
do
    sleep 1
done

Answered by Anderson Danilo on January 3, 2022

After trying the answer of Atreyu94 and some other examples this is what worked for me:

/etc/redsocks.conf

base {
    log_debug = on;
    log_info = on;
    log = "file:/var/log/redsocks.log";

    daemon = on;

    redirector = iptables;
}

redsocks {
    local_ip = 0.0.0.0;
    local_port = 12345;

    ip = my.proxy.dns;
    port = 3128;

    type = http-connect;

    login = "myUser";
    password = "myPassword";
}

redsocks {
    local_ip = 0.0.0.0;
    local_port = 12346;

    ip = my.proxy.dns;
    port = 3128;

    type = http-relay;

    login = "myUser";
    password = "myPassword";
}

Executing command sudo iptables -t nat -nL

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REDSOCKS   tcp  --  0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain REDSOCKS (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/8           
RETURN     all  --  0.0.0.0/0            10.0.0.0/8          
RETURN     all  --  0.0.0.0/0            100.64.0.0/10       
RETURN     all  --  0.0.0.0/0            127.0.0.0/8         
RETURN     all  --  0.0.0.0/0            169.254.0.0/16      
RETURN     all  --  0.0.0.0/0            172.16.0.0/12       
RETURN     all  --  0.0.0.0/0            192.168.0.0/16      
RETURN     all  --  0.0.0.0/0            198.18.0.0/15       
RETURN     all  --  0.0.0.0/0            224.0.0.0/4         
RETURN     all  --  0.0.0.0/0            240.0.0.0/4         
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 12346
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 redir ports 12345
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:11371 redir ports 12346

As you can see in my tables i redirect all HTTP traffic to the http-relay port i also redirect the tcp traffic of port 11371 thru the http-relay port i don't even know why that works but it does. That particular redirection i saw it in:

https://jmkhael.io/escape-proxy-hell-with-redsocks/

Also i only redirect OUTPUT traffic because am not working on a server but on my personal computer. If you want to use the computer you are working on as some kind of nat gateway you should consider also using the PREROUTING tables.

Answered by jogarcia on January 3, 2022

The redsocks2 website (https://github.com/semigodking/redsocks) probably explains your problem. This example must be contained in the configuration file. I quote verbatim:

"To make redsocks2 works with GoAgent proxy, you need to set proxy type as 'http-relay' for HTTP protocol and 'http-connect' for HTTPS protocol respectively. Suppose your goagent local proxy is running at the same server as redsocks2, The configuration for forwarding connections to GoAgent is like below:

    redsocks {
     bind = "192.168.1.1:1081"; //HTTP should be redirect to this port.
     relay = "192.168.1.1:8080";
     type = http-relay; // Must be 'htt-relay' for HTTP traffic.
     autoproxy = 1; // I want autoproxy feature enabled on this section.
     // timeout is meaningful when 'autoproxy' is non-zero.
     // It specified timeout value when trying to connect to destination
     // directly. Default is 10 seconds. When it is set to 0, default
     // timeout value will be used.
     timeout = 13;
    }
    redsocks {
     bind = "192.168.1.1:1082"; //HTTPS should be redirect to this port.
     relay = "192.168.1.1:8080";
     type = http-connect; // Must be 'htt-connect' for HTTPS traffic.
     autoproxy = 1; // I want autoproxy feature enabled on this section.
     // timeout is meaningful when 'autoproxy' is non-zero.
     // It specified timeout value when trying to connect to destination
     // directly. Default is 10 seconds. When it is set to 0, default
     // timeout value will be used.
     timeout = 13;
     }

"

Answered by Atreyu94 on January 3, 2022

Add your own answers!

Related Questions

Is a 3 GB USB enough for installing Ubuntu?

5  Asked on October 31, 2021 by user1106383

 

SSH – UsePAM yes or no?

1  Asked on October 31, 2021 by sandu-ursu

     

Create bootable pendrive with distr

1  Asked on October 31, 2021 by konfus2234

   

uninstall cmake in Ubuntu 18.04

1  Asked on October 31, 2021

   

Font showing strange characters in konsole (Kubuntu 20.04)

1  Asked on October 31, 2021 by dom_beau

     

Meaning of SSH command with 2 IPs

2  Asked on October 31, 2021 by vikum-dheemantha

     

Hibernate button on ubuntu 20.04

1  Asked on October 31, 2021

     

fglrx does not have /usr/lib/libGL.so lib

2  Asked on October 31, 2021 by paulo-lopes

     

Ask a Question

Get help from others!

© 2023 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir