Created
July 21, 2011 13:42
-
-
Save afriza/1097210 to your computer and use it in GitHub Desktop.
Setup iptables for RedSocks in OpenWRT
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| base { | |
| // debug: connection progress & client list on SIGUSR1 | |
| log_debug = on; | |
| // info: start and end of client session | |
| log_info = on; | |
| /* possible `log' values are: | |
| * stderr | |
| * file:/path/to/file | |
| * syslog:FACILITY facility is any of "daemon", "local0"..."local7" | |
| */ | |
| log = stderr; | |
| // detach from console | |
| daemon = off; | |
| /* Change uid, gid and root directory, these options require root | |
| * privilegies on startup. | |
| * Note, your chroot may requre /etc/localtime if you write log to syslog. | |
| * Log is opened before chroot & uid changing. | |
| */ | |
| // user = nobody; | |
| // group = nobody; | |
| // chroot = "/var/chroot"; | |
| /* possible `redirector' values are: | |
| * iptables - for Linux | |
| * ipf - for FreeBSD | |
| * pf - for OpenBSD | |
| * generic - some generic redirector that MAY work | |
| */ | |
| redirector = iptables; | |
| } | |
| redsocks { | |
| /* `local_ip' defaults to 127.0.0.1 for security reasons, | |
| * use 0.0.0.0 if you want to listen on every interface. | |
| * `local_*' are used as port to redirect to. | |
| */ | |
| local_ip = 0.0.0.0; | |
| local_port = 12345; | |
| // `ip' and `port' are IP and tcp-port of proxy-server | |
| ip = 127.0.0.1; | |
| port = 1080; | |
| // known types: socks4, socks5, http-connect, http-relay | |
| type = socks5; | |
| // login = "foobar"; | |
| // password = "baz"; | |
| } | |
| redudp { | |
| // `local_ip' should not be 0.0.0.0 as it's also used for outgoing | |
| // packets that are sent as replies - and it should be fixed | |
| // if we want NAT to work properly. | |
| local_ip = 127.0.0.1; | |
| local_port = 10053; | |
| // `ip' and `port' of socks5 proxy server. | |
| ip = 127.0.0.1; | |
| port = 1080; | |
| //login = username; | |
| //password = pazzw0rd; | |
| // kernel does not give us this information, so we have to duplicate it | |
| // in both iptables rules and configuration file. By the way, you can | |
| // set `local_ip' to 127.45.67.89 if you need more than 65535 ports to | |
| // forward ;-) | |
| // This limitation may be relaxed in future versions using contrack-tools. | |
| dest_ip = 8.8.8.8; | |
| dest_port = 53; | |
| udp_timeout = 30; | |
| udp_timeout_stream = 180; | |
| } | |
| // you can add more `redsocks' and `redudp' sections if you need. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # at terminal 1 | |
| ssh -D1080 username@server -p443 | |
| # at terminal 2 | |
| ./redsocks -c redsocks.conf | |
| # no log texts appear after running redsocks!! | |
| # at terminal 3 | |
| . setup-iptables.sh | |
| # all runs fine | |
| # at terminal 4: minicom tty via serial port | |
| # a bunch of LOGs from iptables appear |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create new chain | |
| iptables -t nat -X REDSOCKS | |
| iptables -t nat -N REDSOCKS | |
| # Ignore LANs and some other reserved addresses. | |
| iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN | |
| iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN | |
| iptables -t nat -A REDSOCKS -d 10.10.1.0/22 -j RETURN | |
| iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN | |
| iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN | |
| iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN | |
| iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN | |
| iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN | |
| iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN | |
| #iptables -t nat -A REDSOCKS -d 122.248.x.x/31 -j RETURN | |
| iptables -t nat -A REDSOCKS -j LOG -p tcp --syn --log-level info --log-prefix "rs " | |
| # Anything else should be redirected to port 12345 | |
| #iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345 | |
| iptables -t nat -A REDSOCKS -p tcp -j DNAT --to-destination 127.0.0.1:12345 | |
| iptables -t nat -A REDSOCKS -j LOG -p tcp --syn --log-level info --log-prefix "err " | |
| # Any tcp connection made by `darkk' should be redirected. | |
| iptables -t nat -I OUTPUT 1 -p tcp -j REDSOCKS | |
| iptables -t nat -I PREROUTING 1 -p tcp -s 192.168.1.0/22 -j REDSOCKS |
dns is udp and these iptables rules are explicitly for tcp. you need to provide for -p udp also for the udp queries including dns to be tunneled.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I get a dns leaking problem with this iptables configuration, I have an ssh account from singapore that I use for an ssh tunnel but after I check by going to
https://dnsleaktest.com/My DNS is still the DNS of my own country, it should come from singapore, the same country of my ssh tunnel, how can I fix that? I'm also running openwrt.