[FEATURE] Transparent Proxy Support

[zonyitoo]

It should work the same as shadowsocks-libev's ss-redir.

Supported Platforms:

• Linux
• OS X - There is no easy way to implement transparent proxies on OS X
• Windows

TODOs

• TCP
• UDP

[zonyitoo]

FIXME: rust-lang/libc#1650

Missing IP6T_SO_ORIGINAL_DST.

[zonyitoo]

Related to some discussions in #119

[zonyitoo]

All done and tested of TCP and UDP redir supports on Linux.

FreeBSD is supported without test.

Cannot find any official reference about how to build transparent proxies on Windows and Mac OS X.

[abcfy2]

ssredir删了吗？我看cargo install没这个，但是看提交的源码似乎会单独编译一个ssredir？

[zonyitoo]

Already merged into sslocal. Run it with

$ sslocal --protocol redir

[abcfy2]

cargo install shadowsocks-rust
sslocal -c /tmp/ss.conf --protocol redir
error: 'redir' isn't a valid value for '--protocol <PROTOCOL>'
        [possible values: http, https, socks4, socks5, tunnel]


USAGE:
    sslocal --config <CONFIG> --protocol <PROTOCOL>

For more information try --help

Am I wrong ?

[zonyitoo]

cargo install --features local-redir shadowsocks-rust

[abcfy2]

Great, it's working. Thanks.

[debiansid]

I can not make it work via iptables_tproxy.sh on my linux router.
libev works like a charm.

[zonyitoo]

Just a hint, does your sslocal listens to 0.0.0.0?

[debiansid]

Just a hint, does your sslocal listens to 0.0.0.0?

for sure Sir
/usr/bin/sslocal --log-without-time -c /etc/shadowsocks-rust/redir.json -b 0.0.0.0:1080 --protocol redir

[debiansid]

mangle table content

Chain SS (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/8
RETURN     all  --  0.0.0.0/0            127.0.0.0/8
RETURN     all  --  0.0.0.0/0            10.0.0.0/8
RETURN     all  --  0.0.0.0/0            169.254.0.0/16
RETURN     all  --  0.0.0.0/0            ss-server ip
RETURN     all  --  0.0.0.0/0            172.16.0.0/12
RETURN     all  --  0.0.0.0/0            192.168.0.0/16
RETURN     all  --  0.0.0.0/0            224.0.0.0/4
RETURN     all  --  0.0.0.0/0            240.0.0.0/4
TPROXY     udp  --  0.0.0.0/0            0.0.0.0/0            TPROXY redirect 0.0.0.0:1080 mark 0x2333/0xffffffff
TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0            TPROXY redirect 0.0.0.0:1080 mark 0x2333/0xffffffff

Chain SS-MASK (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/8
RETURN     all  --  0.0.0.0/0            127.0.0.0/8
RETURN     all  --  0.0.0.0/0            10.0.0.0/8
RETURN     all  --  0.0.0.0/0            ss-server ip
RETURN     all  --  0.0.0.0/0            169.254.0.0/16
RETURN     all  --  0.0.0.0/0            172.16.0.0/12
RETURN     all  --  0.0.0.0/0            192.168.0.0/16
RETURN     all  --  0.0.0.0/0            224.0.0.0/4
RETURN     all  --  0.0.0.0/0            240.0.0.0/4
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            mark match 0xff
MARK       udp  --  0.0.0.0/0            0.0.0.0/0            MARK set 0x2333
MARK       tcp  --  0.0.0.0/0            0.0.0.0/0            MARK set 0x2333

[zonyitoo]

/usr/bin/sslocal --log-without-time -c /etc/shadowsocks-rust/redir.json -b 0.0.0.0:1080 --protocol redir --tcp-redir tproxy --udp-redir tproxy

You have to start it with TCP to run in TPROXY mode.

[debiansid]

No luck

vyos@vyos:~$ /usr/bin/sslocal --log-without-time -c /etc/shadowsocks-rust/redir.json -b 0.0.0.0:1080 --protocol redir --tcp-redir tproxy --udp-redir tproxy
INFO  shadowsocks 1.9.0
thread 'main' panicked at 'aborted with Operation not permitted (os error 1)', bin/sslocal.rs:420:45
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Aborted

[debiansid]

My bad it works under root

[debiansid]

I still can't make script working. My purpose is
1.tunnel 127.0.0.1:40 to 8.8.8.8:53 make dns query
2.tcp/udp to outside China destination to redir via tproxy.
I was able to achieve that using ss-libev. No
clue under ss-rust.

[zonyitoo]

What did you do? How can I reproduce.

[debiansid]

pppoe connect to CT
My script

#!/bin/sh
ipset -N china hash:net
for subnet in `cat /config/user-data/iptables/china.txt`; d
o ipset add china $subnet;done
ipset -N google hash:net
for subnet in `cat /config/user-data/iptables/google.txt`; 
do ipset add google $subnet;done

#
/usr/sbin/modprobe ip_tables
/usr/sbin/modprobe ip_conntrack
/usr/sbin/modprobe iptable_filter
/usr/sbin/modprobe iptable_mangle
/usr/sbin/modprobe iptable_nat
/usr/sbin/modprobe ipt_LOG
/usr/sbin/modprobe ipt_limit
/usr/sbin/modprobe ipt_state

iptables-legacy -t mangle -N SS

# It's very IMPORTANT, just be careful.
for i in `cat /config/user-data/iptables/localips`; do
iptables-legacy -t mangle -A SS -d $i -j RETURN -m mark --m
ark 0xff
iptables-legacy -t mangle -A SS_MARK -d $i -j RETURN -m mark --mark 0xff
done

# Redirect google
#iptables-legacy -t nat -A SHADOWSOCKS -p tcp -m set --matc
h-set google dst -j REDIRECT --to-port 1082
#iptables-legacy -t nat -A SHADOWSOCKS_MARK -p tcp -m set -
-match-set google dst -j MARK --set-mark 1

# Redirect Hulu
#iptables-legacy -t nat -A SHADOWSOCKS -p tcp -m set --match-set hulu dst -j REDIRECT --to-port 1081
#iptables-legacy -t nat -A SHADOWSOCKS_MARK -p tcp -m set --match-set hulu dst -j MARK --set-mark 1

# Ignore CHN route list
iptables-legacy -t mangle -A SS -m set --match-set china dst -j RETURN -m mark --mark 0xff
iptables-legacy -t mangle -A SS_MARK -m set --match-set china dst -j RETURN -m mark --mark 0xff

##############################################
# FULLCONENAT Rules
iptables-legacy -t nat -I POSTROUTING -o pppoe0 -j FULLCONE
NAT
iptables-legacy -t nat -I PREROUTING -i pppoe0 -j FULLCONEN
AT
iptables-legacy -t nat -I PREROUTING -i eth0 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i eth2 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i wg0 -j FULLCONENAT

##############################################

# Strategy Route
ip -4 route add local 0/0 dev lo table 100
ip -4 rule add fwmark 0x2333 table 100
#ip -6 route add local ::/0 dev lo table 100
#ip -6 rule add fwmark 0x2333 table 100

#ip6tables -t mangle -N SS


# TPROXY TCP/UDP mark 0x2333 to port 1080
iptables-legacy -t mangle -A SS -p udp -j TPROXY --on-port 
1080 --tproxy-mark 0x2333
iptables-legacy -t mangle -A SS -p tcp -j TPROXY --on-port 
1080 --tproxy-mark 0x2333
#ip6tables -t mangle -A SS -p udp -j TPROXY --on-port 1080 
--tproxy-mark 0x2333
#ip6tables -t mangle -A SS -p tcp -j TPROXY --on-port 1080 
--tproxy-mark 0x2333

# Apply
iptables-legacy -t mangle -A PREROUTING -j SS
#ip6tables -t mangle -A PREROUTING -j SS

now tcp/udp is not through tproxy

[zonyitoo]

It has something different with my script, I don't know if these differences would be an issue.