使用 iptables 通过 redsocks 服务进行的 HTTP 流量不起作用

使用 iptables 通过 redsocks 服务进行的 HTTP 流量不起作用

我正在尝试将我计算机的所有流量重定向到端口 12345 上的本地 redsocks 服务。尽管 https 可以正常工作,但由于某种原因 http 似乎无法正常工作。

/etc/redsocks.conf

base {
    log_debug = on;
    log_info = on;
    log = "file:/var/log/redsocks.log";

    daemon = on;

    redirector = iptables;
}

redsocks {

    local_ip = 0.0.0.0;
    local_port = 12345;

    ip = proxy.uclv.cu;
    port = 3128;

    type = http-connect;

    login = "MyUser";
    password = "MyPassword";
}

iptables 配置

iptables -t nat -N REDSOCKS

iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 100.64.0.0/10 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 198.18.0.0/15 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN

# Anything should be redirected to port 12345
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

# Any tcp connection should be redirected to REDSOCKS chain
iptables -t nat -A OUTPUT -p tcp -j REDSOCKS

执行命令 sudo iptables -v -x -n -L

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

执行命令 sudo iptables -t nat -nL

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REDSOCKS   tcp  --  0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain REDSOCKS (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/8           
RETURN     all  --  0.0.0.0/0            10.0.0.0/8          
RETURN     all  --  0.0.0.0/0            100.64.0.0/10       
RETURN     all  --  0.0.0.0/0            127.0.0.0/8         
RETURN     all  --  0.0.0.0/0            169.254.0.0/16      
RETURN     all  --  0.0.0.0/0            172.16.0.0/12       
RETURN     all  --  0.0.0.0/0            192.168.0.0/16      
RETURN     all  --  0.0.0.0/0            198.18.0.0/15       
RETURN     all  --  0.0.0.0/0            224.0.0.0/4         
RETURN     all  --  0.0.0.0/0            240.0.0.0/4         
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            redir ports 12345

如果我尝试使用 https 网站,例如https://google.com它可以工作。但如果它是一个网站http://archive.ubuntu.com/ubuntu/但事实并非如此。

但是,如果我在 redsocks 配置文件中将 http-connect 更改为 http-relay,则会发生相反的情况。

有什么方法可以让 http 和 https 同时工作吗?

答案1

redsocks2 网站 (https://github.com/semigodking/redsocks)可能解释了你的问题。此示例必须包含在配置文件中。我逐字引用:

为了使 redsocks2 与 GoAgent 代理配合使用,您需要将代理类型分别设置为 HTTP 协议的“http-relay”和 HTTPS 协议的“http-connect”。假设您的 goagent 本地代理与 redsocks2 运行在同一个服务器上,将连接转发到 GoAgent 的配置如下:

    redsocks {
     bind = "192.168.1.1:1081"; //HTTP should be redirect to this port.
     relay = "192.168.1.1:8080";
     type = http-relay; // Must be 'htt-relay' for HTTP traffic.
     autoproxy = 1; // I want autoproxy feature enabled on this section.
     // timeout is meaningful when 'autoproxy' is non-zero.
     // It specified timeout value when trying to connect to destination
     // directly. Default is 10 seconds. When it is set to 0, default
     // timeout value will be used.
     timeout = 13;
    }
    redsocks {
     bind = "192.168.1.1:1082"; //HTTPS should be redirect to this port.
     relay = "192.168.1.1:8080";
     type = http-connect; // Must be 'htt-connect' for HTTPS traffic.
     autoproxy = 1; // I want autoproxy feature enabled on this section.
     // timeout is meaningful when 'autoproxy' is non-zero.
     // It specified timeout value when trying to connect to destination
     // directly. Default is 10 seconds. When it is set to 0, default
     // timeout value will be used.
     timeout = 13;
     }

答案2

我使用了 transocks (https://github.com/cybozu-go/transocks)而不是 redsocks,我的 iptables 配置如下所示:

https://gist.github.com/andersondanilo/a28e7165fa8a9700d8ead20a224ecf44

transocks 配置示例:

listen = "0.0.0.0:12345"

# Connect to HTTP Proxy
proxy_url = "http://USER:PASS@HOST:80"

# Connect to socks5 Proxy (you can create with ssh)
# proxy_url = "socks5://10.20.30.40:1080" 

[log]
level = "info"

配置 iptables 的脚本:

#!/usr/bin/bash

# Transocks: https://github.com/cybozu-go/transocks
# 1. Install: go get -u github.com/cybozu-go/transocks/...
# Note: depending on your vension of go, you will need the env: GO111MODULE=on
# 2. Create a "transocks" user
# 3. Execute: sudo -u transocks $HOME/go/bin/transocks -f transocks.toml

set -e
stty -echoctl

# Point to the transparent socket port (running in an exclusive user)
TRANSOCKS_PORT=12345
TRANSOCKS_USER=transocks

# Redirect all the network of your computer (except transocks user)
REDIRECT_LOCAL_NETWORK=1

# Redirect access point (wifi hotspot)
AP_SUBNET_ENABLED=1
AP_SUBNET_IFACE=ap0
AP_SUBNET_RANGE="192.168.12.0/24"

function action_up()
{
    echo "-----------------------------"
    echo "# Adding iptables chain rules"
    echo "-----------------------------"
    iptables -v -t nat -N TRANSOCKS
    iptables -v -t nat -A TRANSOCKS -d 0.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 10.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 100.64.0.0/10 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 127.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 169.254.0.0/16 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 172.16.0.0/12 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 192.168.0.0/16 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 198.18.0.0/15 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 224.0.0.0/4 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 240.0.0.0/4 -j RETURN
    iptables -v -t nat -A TRANSOCKS -p tcp -j REDIRECT --to-ports $TRANSOCKS_PORT

    if [ "$REDIRECT_LOCAL_NETWORK" = 1 ]; then
        echo "--------------------------------"
        echo "# Redirecting non-transocks user"
        echo "--------------------------------"
        iptables -v -t nat -A OUTPUT -p tcp -m owner ! --uid-owner $TRANSOCKS_USER -j TRANSOCKS
    fi

    if [ "$AP_SUBNET_ENABLED" = 1 ]; then
        echo "-----------------------"
        echo "# Redirecting AP subnet"
        echo "-----------------------"
        iptables -v -t nat -I PREROUTING -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -j TRANSOCKS
        iptables -v -I INPUT -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -p tcp -m tcp --dport $TRANSOCKS_PORT -j ACCEPT
    fi
}

function action_down()
{
    if [ "$REDIRECT_LOCAL_NETWORK" = 1 ]; then
        echo "------------------------------"
        echo "# Cleaning non-transocks rules"
        echo "------------------------------"
        iptables -v -t nat -D OUTPUT -p tcp -m owner ! --uid-owner $TRANSOCKS_USER -j TRANSOCKS
    fi

    if [ "$AP_SUBNET_ENABLED" = 1 ]; then
        echo "--------------------------"
        echo "# Cleaning AP subnet rules"
        echo "--------------------------"
        iptables -v -t nat -D PREROUTING -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -j TRANSOCKS
        iptables -v -D INPUT -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -p tcp -m tcp --dport $TRANSOCKS_PORT -j ACCEPT
    fi

    echo "-----------------------------"
    echo "# Cleaning and removing chain"
    echo "-----------------------------"
    iptables -v -F TRANSOCKS -t nat
    iptables -v -X TRANSOCKS -t nat
}

trap 'action_down' SIGINT

action_up

echo
echo "Hit Ctrl+C to remove the ip table rules"
echo


while :
do
    sleep 1
done

答案3

在尝试了 Atreyu94 的答案和其他一些例子之后,这对我有用:

/etc/redsocks.conf

base {
    log_debug = on;
    log_info = on;
    log = "file:/var/log/redsocks.log";

    daemon = on;

    redirector = iptables;
}

redsocks {
    local_ip = 0.0.0.0;
    local_port = 12345;

    ip = my.proxy.dns;
    port = 3128;

    type = http-connect;

    login = "myUser";
    password = "myPassword";
}

redsocks {
    local_ip = 0.0.0.0;
    local_port = 12346;

    ip = my.proxy.dns;
    port = 3128;

    type = http-relay;

    login = "myUser";
    password = "myPassword";
}

执行命令 sudo iptables -t nat -nL

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REDSOCKS   tcp  --  0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain REDSOCKS (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/8           
RETURN     all  --  0.0.0.0/0            10.0.0.0/8          
RETURN     all  --  0.0.0.0/0            100.64.0.0/10       
RETURN     all  --  0.0.0.0/0            127.0.0.0/8         
RETURN     all  --  0.0.0.0/0            169.254.0.0/16      
RETURN     all  --  0.0.0.0/0            172.16.0.0/12       
RETURN     all  --  0.0.0.0/0            192.168.0.0/16      
RETURN     all  --  0.0.0.0/0            198.18.0.0/15       
RETURN     all  --  0.0.0.0/0            224.0.0.0/4         
RETURN     all  --  0.0.0.0/0            240.0.0.0/4         
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 12346
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 redir ports 12345
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:11371 redir ports 12346

正如您在表格中看到的,我将所有 HTTP 流量重定向到 http-relay 端口,我还通过 http-relay 端口重定向端口 11371 的 tcp 流量,我甚至不知道为什么这样做有效,但确实有效。我看到了这种特定的重定向:

https://jmkhael.io/escape-proxy-hell-with-redsocks/

此外,我只重定向 OUTPUT 流量,因为我不是在服务器上工作,而是在我的个人计算机上工作。如果您想将您正在工作的计算机用作某种 nat 网关,您还应该考虑使用 PREROUTING 表。

相关内容