mirrors/redsocks
0
0
Fork 0
mirror of https://github.com/darkk/redsocks.git synced 2025-08-29 13:15:30 +00:00
Code

Update README

Browse Source
This commit is contained in:
Leonid Evdokimov 2018-02-01 20:03:14 +03:00
parent 268c00eb29
commit 5df6a30e5f
3 changed files with 253 additions and 443 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

203
README
View File

@ -1,203 +0,0 @@
This tool allows you to redirect any TCP connection to SOCKS or HTTPS
proxy using your firewall, so redirection is system-wide.
Why is that useful? I can suggest following reasons:
* you use tor[1] and don't want any TCP connection to leak.
* you use DVB ISP and this ISP provides internet connectivity with some
special daemon that may be also called "Internet accelerator" and this
accelerator acts as proxy. Globax[2] is example of such an accelerator.
Linux/iptables, OpenBSD/pf and FreeBSD/ipfw are supported.
Linux/iptables is well-tested, other implementations may have bugs,
your bugreports are welcome.
Transocks[3] is alike project but it has noticable performance penality.
Transsocks_ev[4] is alike project too, but it has no HTTPS-proxy support
and does not support authentication.
Several Android apps also use redsocks under-the-hood: ProxyDroid[5][6] and
sshtunnel[7][8]. And that's over 100'000 downloads! Wow!
[1] http://www.torproject.org
[2] http://www.globax.biz
[3] http://transocks.sourceforge.net/
[4] http://oss.tiggerswelt.net/transocks_ev/
[5] http://code.google.com/p/proxydroid/
[6] https://market.android.com/details?id=org.proxydroid
[7] http://code.google.com/p/sshtunnel/
[8] https://market.android.com/details?id=org.sshtunnel
Another related issue is DNS over TCP. Redsocks includes `dnstc' that is fake
and really dumb DNS server that returns "truncated answer" to every query via
UDP. RFC-compliant resolver should repeat same query via TCP in this case - so
the request can be redirected using usual redsocks facilities.
Known compliant resolvers are:
* bind9 (server)
* dig, nslookup (tools based on bind9 code)
Known non-compliant resolvers are:
* eglibc resolver fails without any attempt to send request via TCP
* powerdns-recursor can't properly startup without UDP connectivity as it
can't load root hints
On the other hand, DNS via TCP using bind9 may be painfully slow. If your bind9
setup is really slow, you have at least two options: pdnsd[9] caching server
can run in TCP-only mode, ttdnsd[10][11] has no cache but can be useful for same
purpose.
[9] http://www.phys.uu.nl/~rombouts/pdnsd.html
[10] http://www.mulliner.org/collin/ttdnsd.php
[11] https://gitweb.torproject.org/ioerror/ttdnsd.git
Features
========
Redirect any TCP connection to SOCKS4, SOCKS5 or HTTPS (HTTP/CONNECT)
proxy server.
Login/password authentication is supported for SOCKS5/HTTPS connections.
SOCKS4 supports only username, password is ignored. for HTTPS, currently
only Basic and Digest scheme is supported.
Redirect UDP packets via SOCKS5 proxy server. NB: UDP still goes via UDP, so
you can't relay UDP via OpenSSH.
Sends "truncated reply" as an answer to UDP DNS queries.
Redirect any HTTP connection to proxy that does not support transparent
proxying (e.g. old SQUID had broken `acl myport' for such connections).
License
=======
All source code is licensed under Apache 2.0 license.
You can get a copy at http://www.apache.org/licenses/LICENSE-2.0.html
Packages
========
* Archlinux: https://aur.archlinux.org/packages/redsocks-git
* Debian: http://packages.debian.org/search?searchon=names&keywords=redsocks
* Gentoo (pentoo overlay): https://code.google.com/p/pentoo/source/browse/portage/trunk/net-proxy/redsocks
* Gentoo (theebuilds overlay): http://code.google.com/p/theebuilds/source/browse/trunk/net-misc/redsocks
* Gentoo (zugaina overlay): http://gpo.zugaina.org/net-proxy/redsocks
* Ubuntu: http://packages.ubuntu.com/search?searchon=names&keywords=redsocks
Compilation
===========
libevent-2.0.x[5] is required.
gcc and clang are supported right now, other compilers can be used
but may require some code changes.
Compilation is as easy as running `make', there is no `./configure' magic.
GNU Make works, other implementations of make were not tested.
[5] http://libevent.org/ || http://www.monkey.org/~provos/libevent/
Running
=======
Program has following command-line options:
-c sets proper path to config file ("./redsocks.conf" is default one)
-t tests config file syntax
-p set a file to write the getpid() into
Following signals are understood:
SIGUSR1 dumps list of connected clients to log
SIGTERM and SIGINT terminates daemon, all active connections are closed
You can see configuration file example in redsocks.conf.example
iptables example
================
You have to build iptables with connection tracking and REDIRECT target.
# Create new chain
root# iptables -t nat -N REDSOCKS
# Ignore LANs and some other reserved addresses.
# See http://en.wikipedia.org/wiki/Reserved_IP_addresses#Reserved_IPv4_addresses
# and http://tools.ietf.org/html/rfc5735 for full list of reserved networks.
root# iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
root# iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
root# iptables -t nat -A REDSOCKS -d 100.64.0.0/10 -j RETURN
root# iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
root# iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
root# iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
root# iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
root# iptables -t nat -A REDSOCKS -d 198.18.0.0/15 -j RETURN
root# iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
root# iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
# Anything else should be redirected to port 12345
root# iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
# Any tcp connection made by `luser' should be redirected.
root# iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner luser -j REDSOCKS
# You can also control that in more precise way using `gid-owner` from
# iptables.
root# groupadd socksified
root# usermod --append --groups socksified luser
root# iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner socksified -j REDSOCKS
# Now you can launch your specific application with GID `socksified` and it
# will be... socksified. See following commands (numbers may vary).
# Note: you may have to relogin to apply `usermod` changes.
luser$ id
uid=1000(luser) gid=1000(luser) groups=1000(luser),1001(socksified)
luser$ sg socksified -c id
uid=1000(luser) gid=1001(socksified) groups=1000(luser),1001(socksified)
luser$ sg socksified -c "firefox"
# If you want to configure socksifying router, you should look at
# doc/iptables-packet-flow.png, doc/iptables-packet-flow-ng.png and
# https://en.wikipedia.org/wiki/File:Netfilter-packet-flow.svg
# Note, you should have proper `local_ip' value to get external packets with
# redsocks, default 127.0.0.1 will not go. See iptables(8) manpage regarding
# REDIRECT target for details.
# Depending on your network configuration iptables conf. may be as easy as:
root# iptables -t nat -A PREROUTING --in-interface eth_int -p tcp -j REDSOCKS
Note about GID-based redirection
========
Keep in mind, that changed GID affects filesystem permissions, so if your
application creates some files, the files will be created with luser:socksified
owner/group. So, if you're not the only user in the group `socksified` and your
umask allows to create group-readable files and your directory permissions, and
so on, blah-blah, etc. THEN you may expose your files to another user.
Ok, you have been warned.
Homepage
========
http://darkk.net.ru/redsocks/
Mailing list: redsocks@librelist.com
Mailing list also has archives[1].
[1] http://librelist.com/browser/redsocks/
TODO
====
Test OpenBSD (pf) and FreeBSD (ipfw) and write setup examples for those
firewall types.
Author
======
This program was written by Leonid Evdokimov <leon@darkk.net.ru>

240
README.html
View File

@ -1,240 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="../site.css" />
<title>redsocks - transparent socks redirector</title>
</head>
<body>
<!-- Intro -->
<h1>redsocks - transparent socks redirector</h1>
<div class="navi">
<a href="../">darkk's homepage</a>
<a href="http://github.com/darkk/redsocks/tree/master">download source code</a>
</div>
<hr/>
<p>This tool allows you to redirect any TCP connection to SOCKS or HTTPS
proxy using your firewall, so redirection is system-wide.</p>
<p>Why is that useful? I can suggest following reasons:</p>
<ul>
<li>you use <a href="http://www.torproject.org">tor</a> and don't want any TCP connection to leak</li>
<li>you use DVB ISP and this ISP provides internet connectivity with some
special daemon that may be also called "Internet accelerator" and this
accelerator acts as proxy. <a href="http://www.globax.biz">Globax</a> is example of such an accelerator</li>
</ul>
<p>Linux/iptables, OpenBSD/pf and FreeBSD/ipfw are supported.
Linux/iptables is well-tested, other implementations may have bugs,
your bugreports are welcome.</p>
<p><a href="http://transocks.sourceforge.net/">Transocks</a> is alike project but it has noticable performance penality.</p>
<p><a href="http://oss.tiggerswelt.net/transocks_ev/">Transsocks_ev</a> is alike project too, but it has no HTTPS-proxy support
and does not support authentication.</p>
<p>Several Andoird apps also use redsocks under-the-hood: <a href="http://code.google.com/p/proxydroid/">ProxyDroid</a> (<a href="https://market.android.com/details?id=org.proxydroid">@AndroidMarket</a>) and
<a href="http://code.google.com/p/sshtunnel/">sshtunnel</a> (<a href="https://market.android.com/details?id=org.sshtunnel">@AndroidMarket</a>). And that's over 100'000 downloads! Wow!</p>
<p>Another related issue is DNS over TCP. Redsocks includes `dnstc' that is fake
and really dumb DNS server that returns "truncated answer" to every query via
UDP. RFC-compliant resolver should repeat same query via TCP in this case - so
the request can be redirected using usual redsocks facilities.</p>
<p>Known compliant resolvers are:</p>
<ul>
<li>bind9 (server)</li>
<li>dig, nslookup (tools based on bind9 code)</li>
</ul>
<p>Known non-compliant resolvers are:</p>
<ul>
<li>eglibc resolver fails without any attempt to send request via TCP</li>
<li>powerdns-recursor can't properly startup without UDP connectivity as it
can't load root hints</li>
</ul>
<p>On the other hand, DNS via TCP using bind9 may be painfully slow. If your bind9
setup is really slow, you have at least two options: <a href="http://www.phys.uu.nl/~rombouts/pdnsd.html">pdnsd</a> caching server
can run in TCP-only mode, <a href="http://www.mulliner.org/collin/ttdnsd.php">ttdnsd</a> (<a href="https://gitweb.torproject.org/ioerror/ttdnsd.git">git repo</a>) has no cache but can be useful for same
purpose.</p>
<h2>Features</h2>
<p>Redirect any TCP connection to SOCKS4, SOCKS5 or HTTPS (HTTP/CONNECT)
proxy server.</p>
<p>Login/password authentication is supported for SOCKS5/HTTPS connections.
SOCKS4 supports only username, password is ignored. for HTTPS, currently
only Basic and Digest scheme is supported.</p>
<p>Redirect UDP packets via SOCKS5 proxy server. NB: UDP still goes via UDP, so
you can't relay UDP via OpenSSH.</p>
<p>Sends "truncated reply" as an answer to UDP DNS queries.</p>
<p>Redirect any HTTP connection to proxy that does not support transparent
proxying (e.g. old SQUID had broken `acl myport' for such connections).</p>
<h2>License</h2>
<p>All source code is licensed under Apache 2.0 license.</p>
<p>You can get a copy at <a href="http://www.apache.org/licenses/LICENSE-2.0.html">http://www.apache.org/licenses/LICENSE-2.0.html</a></p>
<h2>Packages</h2>
<ul>
<li><img src="http://www.archlinux.org/favicon.ico" alt="" />
<a href="https://aur.archlinux.org/packages/redsocks-git">Archlinux AUR</a></li>
<li><img src="http://www.debian.org/favicon.ico" alt="" />
<a href="http://packages.debian.org/search?searchon=names&keywords=redsocks">Debian</a></li>
<li><img src="http://www.gentoo.org/favicon.ico" alt="" />
<a href="https://code.google.com/p/pentoo/source/browse/portage/trunk/net-proxy/redsocks">Gentoo (pentoo overlay)</a></li>
<li><img src="http://www.gentoo.org/favicon.ico" alt="" />
<a href="http://code.google.com/p/theebuilds/source/browse/trunk/net-misc/redsocks">Gentoo (theebuilds overlay)</a></li>
<li><img src="http://www.gentoo.org/favicon.ico" alt="" />
<a href="http://gpo.zugaina.org/net-proxy/redsocks">Gentoo (zugaina overlay)</a></li>
<li><img src="http://www.ubuntu.com/sites/all/themes/ubuntu10/favicon.ico" alt="" />
<a href="http://packages.ubuntu.com/search?searchon=names&keywords=redsocks">Ubuntu</a></li>
</ul>
<h2>Compilation</h2>
<p><a href="http://libevent.org/">libevent-2.0.x</a> is required.</p>
<p>gcc is only supported compiler right now, other compilers can be used
but may require some code changes.</p>
<p>Compilation is as easy as running `make', there is no `./configure' magic.</p>
<p>GNU Make works, other implementations of make were not tested.</p>
<h2>Running</h2>
<p>Program has following command-line options:<br/>
-c sets proper path to config file ("./redsocks.conf" is default one)<br/>
-t tests config file syntax<br/>
-p set a file to write the getpid() into</p>
<p>Following signals are understood:<br/>
SIGUSR1 dumps list of connected clients to log<br/>
SIGTERM and SIGINT terminates daemon, all active connections are closed</p>
<p>You can see configuration file example in redsocks.conf.example</p>
<h2>iptables example</h2>
<p>You have to build iptables with connection tracking and REDIRECT target.</p>
<pre>
# Create new chain
<strong>root#</strong> <code>iptables -t nat -N REDSOCKS</code>
# Ignore LANs and some other reserved addresses.
# See <a href="http://en.wikipedia.org/wiki/Reserved_IP_addresses#Reserved_IPv4_addresses">Wikipedia</a> and <a href="http://tools.ietf.org/html/rfc5735">RFC5735</a> for full list of reserved networks.
<strong>root#</strong> <code>iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN</code>
<strong>root#</strong> <code>iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN</code>
<strong>root#</strong> <code>iptables -t nat -A REDSOCKS -d 100.64.0.0/10 -j RETURN</code>
<strong>root#</strong> <code>iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN</code>
<strong>root#</strong> <code>iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN</code>
<strong>root#</strong> <code>iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN</code>
<strong>root#</strong> <code>iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN</code>
<strong>root#</strong> <code>iptables -t nat -A REDSOCKS -d 198.18.0.0/15 -j RETURN</code>
<strong>root#</strong> <code>iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN</code>
<strong>root#</strong> <code>iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN</code>
# Anything else should be redirected to port 12345
<strong>root#</strong> <code>iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345</code>
# Any tcp connection made by `luser' should be redirected.
<strong>root#</strong> <code>iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner luser -j REDSOCKS</code>
# You can also control that in more precise way using `gid-owner` from
# iptables.
<strong>root#</strong> <code>groupadd socksified</code>
<strong>root#</strong> <code>usermod --append --groups socksified luser</code>
<strong>root#</strong> <code>iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner socksified -j REDSOCKS</code>
# Now you can launch your specific application with GID `socksified` and it
# will be... socksified. See following commands (numbers may vary).
# Note: you may have to relogin to apply `usermod` changes.
<strong>luser$</strong> <code>id</code>
uid=1000(luser) gid=1000(luser) groups=1000(luser),1001(socksified)
<strong>luser$</strong> <code>sg socksified -c id</code>
uid=1000(luser) gid=1001(socksified) groups=1000(luser),1001(socksified)
<strong>luser$</strong> <code>sg socksified -c "firefox"</code>
# If you want to configure socksifying router, you should look at
# <a href="doc/iptables-packet-flow.png">doc/iptables-packet-flow.png</a> and <a href="doc/iptables-packet-flow-ng.png">doc/iptables-packet-flow-ng.png</a> and
# <a href="https://en.wikipedia.org/wiki/File:Netfilter-packet-flow.svg">wikipedia/File:Netfilter-packet-flow.svg</a>
# Note, you should have proper `local_ip' value to get external packets with
# redsocks, default 127.0.0.1 will not go. See iptables(8) manpage regarding
# <a href="http://dev.medozas.de/files/xtables/iptables.html#76">REDIRECT target</a> for details.
# Depending on your network configuration iptables conf. may be as easy as:
<strong>root#</strong> <code>iptables -t nat -A PREROUTING --in-interface eth_int -p tcp -j REDSOCKS</code>
</pre>
<h3>Note about GID-based redirection</h3>
<p>
Keep in mind, that changed GID affects filesystem permissions, so if your
application creates some files, the files will be created with luser:socksified
owner/group. So, if you're not the only user in the group `socksified` and your
umask allows to create group-readable files and your directory permissions, and
so on, blah-blah, etc. THEN you may expose your files to another user.
</p>
<p>
Ok, you have been warned.
</p>
<h2>Homepage</h2>
<p>Homepage: <a href="http://darkk.net.ru/redsocks/">http://darkk.net.ru/redsocks/</a></p>
<p>Mailing list: <a href="mailto:redsocks@librelist.com">redsocks@librelist.com</a></p>
<p>Mailing list also has <a href="http://librelist.com/browser/redsocks/">archives</a>.</p>
<h2>TODO</h2>
<ul>
<li>Test OpenBSD (pf) and FreeBSD (ipfw) and write setup examples for those
firewall types.</li>
</ul>
<h2>Author</h2>
This program was written by Leonid Evdokimov.
<!-- Outro -->
<a name="address"></a>
<pre>
(~~~~~~~~~~\ __
| jabber: ) / \
| mailto: ( /|oo \
\_________\(_| /_)
_ @/_ \
| | \ \\
leon | (*) | \ )) darkk.net.ru
|__U__| / \//
_//|| _\ /
(_/(_|(____/
<a href="http://jigsaw.w3.org/css-validator/check/referer">Valid CSS!</a>
<a href="http://validator.w3.org/check?uri=referer">Valid XHTML 1.0 Transitional</a>
</pre>
<!-- /Outro -->
<!-- vim:set tabstop=2 softtabstop=2 shiftwidth=2: -->
</body>
</html>

253
README.md Normal file
View File

@ -0,0 +1,253 @@
# redsocks transparent TCP-to-proxy redirector
This tool allows you to redirect any TCP connection to SOCKS or HTTPS
proxy using your firewall, so redirection may be system-wide or network-wide.
When is resocks useful?
* you want to route part of TCP traffic via OpenSSH `DynamicForward` Socks5
port using firewall policies. That was original redsocks development goal;
* you use DVB ISP and this ISP provides internet connectivity with some
special daemon that may be also called "Internet accelerator" and the
accelerator acts as a proxy and has no "transparent proxy" feature and you
need it. [Globax](http://www.globax.biz) was an example of alike accelerator,
but Globax 5 has transparent proxy feature. That was the second redsocks`
development goal;
* you have to pass traffic through proxy due to corporate network limitation.
That was never a goal for redsocks, but users have reported success with
some proxy configurations.
When is redsocks probably a wrong tool?
* redirecting traffic to [tor](https://www.torproject.org). First, you **have**
to [use tor-aware software for anonymity](https://www.torproject.org/download/download.html.en#warning).
Second, [use `TransPort`](https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy)
if you don't actually need anonymity. Third, question everything :-)
* trying to redirect traffic of significant number of connections over single
SSH connection. That's not exactly [TCP over TCP](http://sites.inka.de/bigred/devel/tcp-tcp.html),
but [head-of-line blocking](https://en.wikipedia.org/wiki/Head-of-line_blocking)
will still happen and performance of real-time applications (IM, interactive
Web applications) may be degraded during bulk transfers;
* trying to make non-transparent HTTP-proxy (not HTTPS-proxy) transparent using
`http-relay` module. First, it will likely be broken as the code is hack.
Second, the code is vulnerable to `CVE-2009-0801` and will unlikely be ever fixed;
* making "really" transparent proxy, redsocks acts at TCP level, so three-way
handshake is completed and redsocks accepts connection before connection
through proxy (and _to_ proxy) is established;
* trying to redirect traffic of significant number of connections in
resource-constrained environment like SOHO Linux router. Throughput of single
connection may be good enough like 40 Mbit/s
on [TP-Link TD-W8980](https://wiki.openwrt.org/toh/tp-link/td-w8980),
but amount of concurrent connections may be limiting factor as TCP buffers
are still consumed;
* redirecting traffic to proxy on mobile device running Android or iOS as it'll require
[rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) to update firewall
rules. Probably, the better way is to use on-device VPN daemon to intercept
traffic via [`VpnService` API for Android](https://developer.android.com/reference/android/net/VpnService.html)
and [`NETunnelProvider` family of APIs for iOS](https://developer.apple.com/documentation/networkextension).
That may require some code doing [TCP Reassembly](https://wiki.wireshark.org/TCP_Reassembly)
like [`tun2socks`](https://github.com/ambrop72/badvpn/wiki/Tun2socks).
Linux/iptables is supported. OpenBSD/pf and FreeBSD/ipfw may work with some
hacks. The author has no permanent root access to machines running OpenBSD,
FreeBSD and MacOSX to test and develop for these platforms.
[Transocks](http://transocks.sourceforge.net/) is alike project but it has
noticable performance penality.
[Transsocks_ev](http://oss.tiggerswelt.net/transocks_ev/)
is alike project too, but it has no HTTPS-proxy support
and does not support authentication.
Several Android apps also use redsocks under-the-hood:
[ProxyDroid](https://github.com/madeye/proxydroid)
[<i class="fa fa-play"></i>](https://market.android.com/details?id=org.proxydroid) and
[sshtunnel](https://code.google.com/archive/p/sshtunnel/)
[<i class="fa fa-play"></i>](https://market.android.com/details?id=org.sshtunnel).
And that's over 1'500'000 downloads! Wow!
## Features
Redirect any TCP connection to Socks4, Socks5 or HTTPS (HTTP/CONNECT)
proxy server.
Login/password authentication is supported for Socks5/HTTPS connections.
Socks4 supports only username, password is ignored. for HTTPS, currently
only Basic and Digest scheme is supported.
Redirect UDP packets via Socks5 proxy server. NB: UDP still goes via UDP, so
you can't relay UDP via OpenSSH.
Handle DNS/UDP queries sending "truncated reply" as an answer or making them
DNS/TCP queries to some recursive resolver.
Redirect any HTTP connection to proxy that does not support transparent
proxying (e.g. old SQUID had broken `acl myport' for such connections).
### Enforcing DNS over TCP using `dnstc`
DNS is running over UDP and it may be an issue in some environments as proxy
servers usually don't handle UDP as a first-class citizen. Redsocks includes
`dnstc` that is fake and really dumb DNS server that returns "truncated answer"
to every query via UDP. RFC-compliant resolver should repeat same query via TCP
in this case - so the request can be redirected using usual redsocks facilities.
Known compliant resolvers are:
* bind9 (server);
* dig, nslookup (tools based on bind9 code).
Known non-compliant resolvers are:
* eglibc resolver fails without any attempt to send request via TCP;
* powerdns-recursor can't properly startup without UDP connectivity as it
can't load root hints.
On the other hand, DNS via TCP using bind9 may be painfully slow.
If your bind9 setup is really slow, you may want to try
[pdnsd](http://www.phys.uu.nl/~rombouts/pdnsd.html) caching server
that can run in TCP-only mode.
### Relaying DNS/UDP to DNS/TCP via `dnsu2t`
The code acts as DNS server that multiplexes several UDP queries into single
stream of TCP queries over keep-alive connection to upstream DNS server that
should be recursive resolver. TCP connection may be handled by `redsocks`
itself if firewall is configured with corresponding rules.
Different resolvers have different timeouts and allow different count of
in-flight connections, so you have to tune options yourself for optimal
performance (with some black magic, as script testing for optimal DNS/TCP
connection parameters is not written yet).
There are other programs doing alike job (with, probably, different bugs)
* [ttdnsd](http://www.mulliner.org/collin/ttdnsd.php)
* [dns2socks](https://github.com/qiuzi/dns2socks) for Windows
* [tcpdnsproxy](https://github.com/jtripper/dns-tcp-socks-proxy)
## Source
Source is available at [<i class="fa fa-github"></i> GitHub](https://github.com/darkk/redsocks).
Issue tracker is also at GitHub, but keep in mind that the project is not
actively maintained, so feature requests will unlikely be implemented within
reasonable timeframe. Reproducable bugs having clean desciption will likely be
fixed. Destiny of hard-to-reproduce bugs is hard to predict.
New network protocols will unlikely be implemented within this source tree, but
if you're seeking for censorship circumvention protocols, you may want to take
a look at [redsocks2](https://github.com/semigodking/redsocks) by Zhuofei Wang
AKA @semigodking who is actively maintaining the fork with GFW in mind.
## License
All source code is licensed under Apache 2.0 license.
You can get a copy at http://www.apache.org/licenses/LICENSE-2.0.html
## Packages
* Archlinux: https://aur.archlinux.org/packages/redsocks-git
* Debian: http://packages.debian.org/search?searchon=names&keywords=redsocks
* Gentoo (zugaina overlay): http://gpo.zugaina.org/net-proxy/redsocks
* Gentoo: https://packages.gentoo.org/packages/net-proxy/redsocks
* Ubuntu: http://packages.ubuntu.com/search?searchon=names&keywords=redsocks
## Compilation
[libevent-2.0.x](http://libevent.org/) is required.
gcc and clang are supported right now, other compilers can be used
but may require some code changes.
Compilation is as easy as running `make`, there is no `./configure` magic.
GNU Make works, other implementations of make were not tested.
## Running
Program has following command-line options:
* `-c` sets proper path to config file ("./redsocks.conf" is default one)
* `-t` tests config file syntax
* `-p` set a file to write the getpid() into
Following signals are understood:
SIGUSR1 dumps list of connected clients to log,
SIGTERM and SIGINT terminates daemon, all active connections are closed.
You can see configuration file example in [redsocks.conf.example](https://github.com/darkk/redsocks/blob/master/redsocks.conf.example).
### iptables example
You have to build iptables with connection tracking and REDIRECT target.
```
# Create new chain
root# iptables -t nat -N REDSOCKS
# Ignore LANs and some other reserved addresses.
# See http://en.wikipedia.org/wiki/Reserved_IP_addresses#Reserved_IPv4_addresses
# and http://tools.ietf.org/html/rfc5735 for full list of reserved networks.
root# iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
root# iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
root# iptables -t nat -A REDSOCKS -d 100.64.0.0/10 -j RETURN
root# iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
root# iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
root# iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
root# iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
root# iptables -t nat -A REDSOCKS -d 198.18.0.0/15 -j RETURN
root# iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
root# iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
# Anything else should be redirected to port 12345
root# iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
# Any tcp connection made by `luser' should be redirected.
root# iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner luser -j REDSOCKS
# You can also control that in more precise way using `gid-owner` from
# iptables.
root# groupadd socksified
root# usermod --append --groups socksified luser
root# iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner socksified -j REDSOCKS
# Now you can launch your specific application with GID `socksified` and it
# will be... socksified. See following commands (numbers may vary).
# Note: you may have to relogin to apply `usermod` changes.
luser$ id
uid=1000(luser) gid=1000(luser) groups=1000(luser),1001(socksified)
luser$ sg socksified -c id
uid=1000(luser) gid=1001(socksified) groups=1000(luser),1001(socksified)
luser$ sg socksified -c "firefox"
# If you want to configure socksifying router, you should look at
# doc/iptables-packet-flow.png, doc/iptables-packet-flow-ng.png and
# https://en.wikipedia.org/wiki/File:Netfilter-packet-flow.svg
# Note, you should have proper `local_ip' value to get external packets with
# redsocks, default 127.0.0.1 will not go. See iptables(8) manpage regarding
# REDIRECT target for details.
# Depending on your network configuration iptables conf. may be as easy as:
root# iptables -t nat -A PREROUTING --in-interface eth_int -p tcp -j REDSOCKS
```
### Note about GID-based redirection
Keep in mind, that changed GID affects filesystem permissions, so if your
application creates some files, the files will be created with luser:socksified
owner/group. So, if you're not the only user in the group `socksified` and your
umask allows to create group-readable files and your directory permissions, and
so on, blah-blah, etc. THEN you may expose your files to another user.
Ok, you have been warned.
## Homepage
http://darkk.net.ru/redsocks/
Mailing list: [redsocks@librelist.com](mailto:redsocks@librelist.com).
Mailing list also has [archives](http://librelist.com/browser/redsocks/).
## Author
This program was written by Leonid Evdokimov <leon@darkk.net.ru>