redsocks, pdnsd, shadowsocks-libev and proxychains are uploaded to openrepos
pdnsd
pdnsd is needed for dealing with dns poisoning
sample config file for pdnsd (/etc/pdnsd.conf):
Code:
global {
perm_cache=1024;
cache_dir="/var/cache/pdnsd";
# pid_file = /var/run/pdnsd.pid;
run_as="nobody";
server_ip = 127.0.0.1; # Use eth0 here if you want to allow other
server_port = 5353; #Since port 53 is used by connman, pdnsd has to be configured to use another port and the DNS queries will be redirected to it by iptables
# machines on your network to query pdnsd.
status_ctl = on;
paranoid=on; # This option reduces the chance of cache poisoning
# but may make pdnsd less efficient, unfortunately.
query_method=tcp_only;
min_ttl=1h; # Retain cached entries at least 15 minutes.
max_ttl=1w; # One week.
timeout=10; # Global timeout option (10 seconds).
neg_domain_pol=on;
udpbufsize=1024; # Upper limit on the size of UDP messages.
}
# replace this with any dns servers
server {
label= "google";
ip = 8.8.8.8, 8.8.4.4; # Put your ISP’s DNS-server address(es) here.
timeout=4; # Server timeout; this may be much shorter
# that the global timeout option.
uptest=ping; # Test if the network interface is active.
purge_cache=off; # Keep stale cache entries in case the ISP’s
# DNS servers go offline.
edns_query=no; # Use EDNS for outgoing queries to allow UDP messages
# larger than 512 bytes. May cause trouble with some
# legacy systems.
}
source {
owner=localhost;
# serve_aliases=on;
file="/etc/hosts";
}
rr {
name=localhost;
reverse=on;
a=127.0.0.1;
owner=localhost;
soa=localhost,root.localhost,42,86400,900,86400,86400;
}
shadowsocks
shadowsocks is a lightweight and secure socks5 proxy. It can replace the ssh tunnel. Also shadowsocks-libev has ss-redir which works as a transparent proxy, so redsocks is not needed. :D
sample config file for shadowsocks (/home/nemo/.shadowsocks/ss-config.json)
Code:
{
"server":"replace_with_your_server",
"server_port":replace_with_your_server_port,
"local_port":7777,
"password":"replace_with_your_password",
"timeout":600,
"method":"aes-256-cfb"
}
iptables
iptables needs to be set up to redirect the network traffic to our socks proxy. CAUTION: MESSING UP WITH IPTABLES MAY JAM YOUR NETWORK:D
a dirty script for iptables config (iptables-ss.sh)
Code:
#!/bin/sh
PORT=7777
DNSPORT=5353
SERVER=replace_with_your_server
PDNSDCFG=/etc/pdnsd.conf
SSLOG=/dev/null
SSCFG=/home/nemo/.shadowsocks/ss-config.json
if [ "$1" = "start" ] ;then
#echo "Starting pdnsd"
iptables -t nat -F
iptables -t nat -X
pkill -U $USER pdnsd
pdnsd -d -mto -c $PDNSDCFG
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports $DNSPORT #redirect dns queries
#echo "Setting iptables"
iptables -t nat -N SHADOWSOCKS
iptables -t nat -A SHADOWSOCKS -d $SERVER -j RETURN
iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports $PORT
iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS
exit 0;
elif [ "$1" = "stop" ]; then
pkill -U $USER pdnsd
iptables -t nat -F
iptables -t nat -X
exit 0;
elif [ "$1" = "start-ss" ]; then
pkill -U $USER ss-redir
nohup ss-redir -c $SSCFG > $SSLOG &
exit 0;
elif [ "$1" = "stop-ss" ]; then
pkill -U $USER ss-redir
exit 0;
else
exit 1;
fi
iptables-ss.sh start-ss will start shadowsocks and keep it running in the background
iptables-ss.sh start will (re-)start pdnsd and set up iptables rules
iptables-ss.sh stop will do the reverse
iptables-ss.sh stop-ss will kill the shadowsocks process (not really needed)
redsocks
If ssh tunnel is preferred then redsocks is used for creating the transparent proxy.
sample config file (/home/nemo/.redsocks/redsocks.conf)
Code:
base {
// debug: connection progress & client list on SIGUSR1
log_debug = off;
// info: start and end of client session
log_info = on;
/* possible `log' values are:
* stderr
* "file:/path/to/file"
* syslog:FACILITY facility is any of "daemon", "local0"..."local7"
*/
log = "file:/home/nemo/.redsocks/redsocks.log";
// log = "file:/path/to/file";
// log = "syslog:local7";
// detach from console
daemon = on;
/* Change uid, gid and root directory, these options require root
* privilegies on startup.
* Note, your chroot may requre /etc/localtime if you write log to syslog.
* Log is opened before chroot & uid changing.
*/
// user = nobody;
// group = nobody;
// chroot = "/var/chroot";
/* possible `redirector' values are:
* iptables - for Linux
* ipf - for FreeBSD
* pf - for OpenBSD
* generic - some generic redirector that MAY work
*/
redirector = iptables;
}
redsocks {
/* `local_ip' defaults to 127.0.0.1 for security reasons,
* use 0.0.0.0 if you want to listen on every interface.
* `local_*' are used as port to redirect to.
*/
local_ip = 127.0.0.1;
local_port = 12345;
// listen() queue length. Default value is SOMAXCONN and it should be
// good enough for most of us.
// listenq = 128; // SOMAXCONN equals 128 on my Linux box.
// `max_accept_backoff` is a delay to retry `accept()` after accept
// failure (e.g. due to lack of file descriptors). It's measured in
// milliseconds and maximal value is 65535. `min_accept_backoff` is
// used as initial backoff value and as a damper for `accept() after
// close()` logic.
// min_accept_backoff = 100;
// max_accept_backoff = 60000;
// `ip' and `port' are IP and tcp-port of proxy-server
// You can also use hostname instead of IP, only one (random)
// address of multihomed host will be used.
ip = 127.0.0.1;
port = 7777; // the ssh tunneling port
// known types: socks4, socks5, http-connect, http-relay
type = socks5;
}
redudp {
// `local_ip' should not be 0.0.0.0 as it's also used for outgoing
// packets that are sent as replies - and it should be fixed
// if we want NAT to work properly.
local_ip = 127.0.0.1;
local_port = 10053;
// `ip' and `port' of socks5 proxy server.
ip = 127.0.0.1;
port = 7777;
// redsocks knows about two options while redirecting UDP packets at
// linux: TPROXY and REDIRECT. TPROXY requires more complex routing
// configuration and fresh kernel (>= 2.6.37 according to squid
// developers[1]) but has hack-free way to get original destination
// address, REDIRECT is easier to configure, but requires `dest_ip` and
// `dest_port` to be set, limiting packet redirection to single
// destination.
// [1] http://wiki.squid-cache.org/Features/Tproxy4
dest_ip = 8.8.8.8;
dest_port = 53;
udp_timeout = 30;
udp_timeout_stream = 180;
}
dnstc {
// fake and really dumb DNS server that returns "truncated answer" to
// every query via UDP, RFC-compliant resolver should repeat same query
// via TCP in this case.
local_ip = 127.0.0.1;
local_port = 5300;
}
// you can add more `redsocks' and `redudp' sections if you need.
iptables config for redsocks
a dirtier iptables script for redsocks :D (redsocks.sh)
Code:
#!/bin/sh
IPTABLES="/sbin/iptables"
REDSOCKS="/usr/bin/redsocks"
REDSOCKSCFG="/home/nemo/.redsocks/redsocks.conf"
REDSOCKS_PORT="12345" #local_port in $REDSOCKSCFG
PDNSDCFG="/etc/pdnsd.conf"
SERVER="your_ssh_server"
if [ "$1" = "start" ]; then
echo '(Re)starting redsocks...'
pkill -U $USER redsocks 2>/dev/null
sleep 1
$REDSOCKS -c $REDSOCKSCFG
echo '(Re)starting pdnsd'
pkill -U $USER pdnsd 2>/dev/null
pdnsd -d -mto -c $PDNSDCFG
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353 #redirect dns queries
$IPTABLES -t nat -D PREROUTING -p tcp -j REDSOCKS_FILTER 2>/dev/null
$IPTABLES -t nat -D OUTPUT -p tcp -j REDSOCKS_FILTER 2>/dev/null
$IPTABLES -t nat -F REDSOCKS_FILTER 2>/dev/null
$IPTABLES -t nat -X REDSOCKS_FILTER 2>/dev/null
$IPTABLES -t nat -F REDSOCKS 2>/dev/null
$IPTABLES -t nat -X REDSOCKS 2>/dev/null
# Create our own chain
$IPTABLES -t nat -N REDSOCKS
$IPTABLES -t nat -N REDSOCKS_FILTER
# Do not try to redirect local traffic
$IPTABLES -t nat -I REDSOCKS_FILTER -o lo -j RETURN
# Do not redirect LAN traffic and some other reserved addresses. (blacklist option)
$IPTABLES -t nat -A REDSOCKS_FILTER -d 0.0.0.0/8 -j RETURN
$IPTABLES -t nat -A REDSOCKS_FILTER -d 10.0.0.0/8 -j RETURN
$IPTABLES -t nat -A REDSOCKS_FILTER -d 127.0.0.0/8 -j RETURN
$IPTABLES -t nat -A REDSOCKS_FILTER -d 169.254.0.0/16 -j RETURN
$IPTABLES -t nat -A REDSOCKS_FILTER -d 172.16.0.0/12 -j RETURN
$IPTABLES -t nat -A REDSOCKS_FILTER -d 192.168.0.0/16 -j RETURN
$IPTABLES -t nat -A REDSOCKS_FILTER -d 224.0.0.0/4 -j RETURN
$IPTABLES -t nat -A REDSOCKS_FILTER -d 240.0.0.0/4 -j RETURN
$IPTABLES -t nat -A REDSOCKS_FILTER -d $SERVER -j RETURN
$IPTABLES -t nat -A REDSOCKS_FILTER -j REDSOCKS
# Redirect all traffic that gets to the end of our chain
$IPTABLES -t nat -A REDSOCKS -p tcp -j REDIRECT --to-port $REDSOCKS_PORT
## Filter all traffic from the own host
## BE CAREFULL HERE IF THE SOCKS-SERVER RUNS ON THIS MACHINE
$IPTABLES -t nat -A OUTPUT -p tcp -j REDSOCKS_FILTER
# Filter all traffic that is routed over this host
$IPTABLES -t nat -A PREROUTING -p tcp -j REDSOCKS_FILTER
echo IPtables reconfigured.
exit 0;
elif [ "$1" = "stop" ]; then
$IPTABLES -t nat -F
$IPTABLES -t nat -X
killall redsocks
killall pdnsd
exit 0;
else
exit 1;
fi
(set up an ssh tunnel first)
redsocks.sh start : start redsocks, pdnsd and set up iptables rules
redsocks.sh stop : undo everything
Proxychains
proxychains is a hook preloader that allows to redirect TCP traffic of existing dynamically linked programs through one or more SOCKS or HTTP proxies.
It can be used to launch a single app whose traffic will go through a chains of proxies defined in /etc/proxychains.conf (default is 127.0.0.1:9050 for tor). Domain names are resolved in the proxy side.
Usage example:
Code:
proxychains4 sailfish-browser
Works fine with ssh tunnel and ss-local, but does not work with ss-redir
issues
No gui (yet) :p
The network gets jammed after switching from wifi to 3g or vice versa. The iptables scripts need to be restarted after every network switching. Not sure about the cause, maybe the rules are messed up after all...:confused: