Iptables – How a Transparent SOCKS Proxy Determines Destination IP

iptablesPROXYsockstor

There are two SOCKS proxies that I know about that support transparent proxying for any outgoing TCP connection: Tor and redsocks. Unlike HTTP proxies, these SOCKS proxies can transparently proxy any outgoing TCP connection, including encrypted protocols and protocols without metadata or headers.

Both of these proxies require the use of NAT to redirect any outgoing TCP traffic to the proxy's local port. For instance, if I am running Tor with TransPort 9040 on my local machine, I would need to add an iptables rule like this:

iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 9040

To my knowledge, this would replace the original destination IP and port with 127.0.0.1 and 9040, so given that this is an encrypted stream (like SSH) or one without headers (like whois), how does the proxy know the original destination IP and port?

Best Answer

Here is how it does it:

static int getdestaddr_iptables(int fd, const struct sockaddr_in *client, const struct sockaddr_in *bindaddr, struct sockaddr_in *destaddr)
{
        socklen_t socklen = sizeof(*destaddr);
        int error;

        error = getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, destaddr, &socklen);
        if (error) {
                log_errno(LOG_WARNING, "getsockopt");
                return -1;
        }
        return 0;
}

iptables overrites the original destination address but it remembers the old one. The application code can then fetch it by asking for a special socket option, SO_ORIGINAL_DST.

Related Solutions

IPTables and transparent proxies

Both parts of your question are linked.

Part (1) captures a SYN packet and redirects it as you suggest. From this point conntrack (2) takes over and recognises that each subsequent packet in that stream is part of the same connection and redirects it in the same way as the original SYN packet.

An overview of Connection Tracking can be found at http://en.wikipedia.org/wiki/Netfilter#Connection_Tracking

Redirect ALL packets from eth1 & eth2 through a SOCKS proxy

First, you need tun2socks (often a part of the 'badvpn' package). tun2socks sets up a virtual interface which you can route traffic through, and that traffic will get sent through the target socks proxy.

Setting it up gets a little tricky as you only want to route certain traffic through the tunnel.

This script should do what you want:

#!/bin/bash
socks_server=127.0.0.1:8080

id="$RANDOM"
tun="$(printf 'tun%04x' "$id")"
ip tuntap add dev $tun mode tun
ip link set $tun up
ip addr add 169.254.1.1/30 dev $tun
sysctl -w net.ipv4.conf.$tun.forwarding=1
ip rule add fwmark $id lookup $id
ip route add default via 169.254.1.2 table $id
iptables -t mangle -I PREROUTING -i eth1 -p tcp -j MARK --set-mark $id
iptables -t mangle -I PREROUTING -i eth2 -p tcp -j MARK --set-mark $id
badvpn-tun2socks --tundev $tun --netif-ipaddr 169.254.1.2 --netif-netmask 255.255.255.252 --socks-server-addr $socks_server

iptables -t mangle -D PREROUTING -i eth2 -p tcp -j MARK --set-mark $id
iptables -t mangle -D PREROUTING -i eth1 -p tcp -j MARK --set-mark $id
ip route del default via 169.254.1.2 table $id
ip rule del from fwmark $id lookup $id
ip tuntap del dev $tun mode tun

Explanation:

socks_server=127.0.0.1:8080

This is the socks server we will use.

id="$RANDOM"
tun="$(printf 'tun%04x' "$id")"

These generate a random ID to use for the tunnel. Since you may have other tunnels on the system, we can't just use tun0 or tun1. 99% of the time this will work fine. Adjust accordingly though.

ip tuntap add dev $tun mode tun
ip link set $tun up
ip addr add 169.254.1.1/30 dev $tun
sysctl -w net.ipv4.conf.$tun.forwarding=1

These set up the tunnel interface tun2socks will use.

ip rule add fwmark $id lookup $id
ip route add default via 169.254.1.2 table $id

These create a routing table with a single rule which sends any traffic with firewall mark $id (covered next) through the tunnel.

iptables -t mangle -I PREROUTING -i eth1 -p tcp -j MARK --set-mark $id
iptables -t mangle -I PREROUTING -i eth2 -p tcp -j MARK --set-mark $id

These set firewall mark $id on any TCP packets coming in eth1 or eth2. We only want to match TCP. Socks can't handle UDP or ICMP (tun2socks does have a way to forward UDP, but it's more complicated, and so I'm leaving it out).

badvpn-tun2socks --tundev $tun --netif-ipaddr 169.254.1.2 --netif-netmask 255.255.255.252 --socks-server-addr $socks_server

This starts tun2socks up. It'll sit in the foreground until terminated.

iptables -t mangle -D PREROUTING -i eth2 -p tcp -j MARK --set-mark $id
iptables -t mangle -D PREROUTING -i eth1 -p tcp -j MARK --set-mark $id
ip route del default via 169.254.1.2 table $id
ip rule del from fwmark $id lookup $id
ip tuntap del dev $tun mode tun

These tear down everything we created during the setup process. They will only run once badvpn-tun2socks exits.

Best Answer

Related Solutions

IPTables and transparent proxies

Redirect ALL packets from eth1 & eth2 through a SOCKS proxy

Explanation:

Related Question