我正在尝试将我计算机的所有流量重定向到端口 12345 上的本地 redsocks 服务。尽管 https 可以正常工作,但由于某种原因 http 似乎无法正常工作。
/etc/redsocks.conf
base {
log_debug = on;
log_info = on;
log = "file:/var/log/redsocks.log";
daemon = on;
redirector = iptables;
}
redsocks {
local_ip = 0.0.0.0;
local_port = 12345;
ip = proxy.uclv.cu;
port = 3128;
type = http-connect;
login = "MyUser";
password = "MyPassword";
}
iptables 配置
iptables -t nat -N REDSOCKS
iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 100.64.0.0/10 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 198.18.0.0/15 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
# Anything should be redirected to port 12345
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
# Any tcp connection should be redirected to REDSOCKS chain
iptables -t nat -A OUTPUT -p tcp -j REDSOCKS
执行命令 sudo iptables -v -x -n -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
执行命令 sudo iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REDSOCKS tcp -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain REDSOCKS (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/8
RETURN all -- 0.0.0.0/0 10.0.0.0/8
RETURN all -- 0.0.0.0/0 100.64.0.0/10
RETURN all -- 0.0.0.0/0 127.0.0.0/8
RETURN all -- 0.0.0.0/0 169.254.0.0/16
RETURN all -- 0.0.0.0/0 172.16.0.0/12
RETURN all -- 0.0.0.0/0 192.168.0.0/16
RETURN all -- 0.0.0.0/0 198.18.0.0/15
RETURN all -- 0.0.0.0/0 224.0.0.0/4
RETURN all -- 0.0.0.0/0 240.0.0.0/4
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 redir ports 12345
如果我尝试使用 https 网站,例如https://google.com它可以工作。但如果它是一个网站http://archive.ubuntu.com/ubuntu/但事实并非如此。
但是,如果我在 redsocks 配置文件中将 http-connect 更改为 http-relay,则会发生相反的情况。
有什么方法可以让 http 和 https 同时工作吗?
答案1
redsocks2 网站 (https://github.com/semigodking/redsocks)可能解释了你的问题。此示例必须包含在配置文件中。我逐字引用:
为了使 redsocks2 与 GoAgent 代理配合使用,您需要将代理类型分别设置为 HTTP 协议的“http-relay”和 HTTPS 协议的“http-connect”。假设您的 goagent 本地代理与 redsocks2 运行在同一个服务器上,将连接转发到 GoAgent 的配置如下:
redsocks {
bind = "192.168.1.1:1081"; //HTTP should be redirect to this port.
relay = "192.168.1.1:8080";
type = http-relay; // Must be 'htt-relay' for HTTP traffic.
autoproxy = 1; // I want autoproxy feature enabled on this section.
// timeout is meaningful when 'autoproxy' is non-zero.
// It specified timeout value when trying to connect to destination
// directly. Default is 10 seconds. When it is set to 0, default
// timeout value will be used.
timeout = 13;
}
redsocks {
bind = "192.168.1.1:1082"; //HTTPS should be redirect to this port.
relay = "192.168.1.1:8080";
type = http-connect; // Must be 'htt-connect' for HTTPS traffic.
autoproxy = 1; // I want autoproxy feature enabled on this section.
// timeout is meaningful when 'autoproxy' is non-zero.
// It specified timeout value when trying to connect to destination
// directly. Default is 10 seconds. When it is set to 0, default
// timeout value will be used.
timeout = 13;
}
“
答案2
我使用了 transocks (https://github.com/cybozu-go/transocks)而不是 redsocks,我的 iptables 配置如下所示:
https://gist.github.com/andersondanilo/a28e7165fa8a9700d8ead20a224ecf44
transocks 配置示例:
listen = "0.0.0.0:12345"
# Connect to HTTP Proxy
proxy_url = "http://USER:PASS@HOST:80"
# Connect to socks5 Proxy (you can create with ssh)
# proxy_url = "socks5://10.20.30.40:1080"
[log]
level = "info"
配置 iptables 的脚本:
#!/usr/bin/bash
# Transocks: https://github.com/cybozu-go/transocks
# 1. Install: go get -u github.com/cybozu-go/transocks/...
# Note: depending on your vension of go, you will need the env: GO111MODULE=on
# 2. Create a "transocks" user
# 3. Execute: sudo -u transocks $HOME/go/bin/transocks -f transocks.toml
set -e
stty -echoctl
# Point to the transparent socket port (running in an exclusive user)
TRANSOCKS_PORT=12345
TRANSOCKS_USER=transocks
# Redirect all the network of your computer (except transocks user)
REDIRECT_LOCAL_NETWORK=1
# Redirect access point (wifi hotspot)
AP_SUBNET_ENABLED=1
AP_SUBNET_IFACE=ap0
AP_SUBNET_RANGE="192.168.12.0/24"
function action_up()
{
echo "-----------------------------"
echo "# Adding iptables chain rules"
echo "-----------------------------"
iptables -v -t nat -N TRANSOCKS
iptables -v -t nat -A TRANSOCKS -d 0.0.0.0/8 -j RETURN
iptables -v -t nat -A TRANSOCKS -d 10.0.0.0/8 -j RETURN
iptables -v -t nat -A TRANSOCKS -d 100.64.0.0/10 -j RETURN
iptables -v -t nat -A TRANSOCKS -d 127.0.0.0/8 -j RETURN
iptables -v -t nat -A TRANSOCKS -d 169.254.0.0/16 -j RETURN
iptables -v -t nat -A TRANSOCKS -d 172.16.0.0/12 -j RETURN
iptables -v -t nat -A TRANSOCKS -d 192.168.0.0/16 -j RETURN
iptables -v -t nat -A TRANSOCKS -d 198.18.0.0/15 -j RETURN
iptables -v -t nat -A TRANSOCKS -d 224.0.0.0/4 -j RETURN
iptables -v -t nat -A TRANSOCKS -d 240.0.0.0/4 -j RETURN
iptables -v -t nat -A TRANSOCKS -p tcp -j REDIRECT --to-ports $TRANSOCKS_PORT
if [ "$REDIRECT_LOCAL_NETWORK" = 1 ]; then
echo "--------------------------------"
echo "# Redirecting non-transocks user"
echo "--------------------------------"
iptables -v -t nat -A OUTPUT -p tcp -m owner ! --uid-owner $TRANSOCKS_USER -j TRANSOCKS
fi
if [ "$AP_SUBNET_ENABLED" = 1 ]; then
echo "-----------------------"
echo "# Redirecting AP subnet"
echo "-----------------------"
iptables -v -t nat -I PREROUTING -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -j TRANSOCKS
iptables -v -I INPUT -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -p tcp -m tcp --dport $TRANSOCKS_PORT -j ACCEPT
fi
}
function action_down()
{
if [ "$REDIRECT_LOCAL_NETWORK" = 1 ]; then
echo "------------------------------"
echo "# Cleaning non-transocks rules"
echo "------------------------------"
iptables -v -t nat -D OUTPUT -p tcp -m owner ! --uid-owner $TRANSOCKS_USER -j TRANSOCKS
fi
if [ "$AP_SUBNET_ENABLED" = 1 ]; then
echo "--------------------------"
echo "# Cleaning AP subnet rules"
echo "--------------------------"
iptables -v -t nat -D PREROUTING -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -j TRANSOCKS
iptables -v -D INPUT -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -p tcp -m tcp --dport $TRANSOCKS_PORT -j ACCEPT
fi
echo "-----------------------------"
echo "# Cleaning and removing chain"
echo "-----------------------------"
iptables -v -F TRANSOCKS -t nat
iptables -v -X TRANSOCKS -t nat
}
trap 'action_down' SIGINT
action_up
echo
echo "Hit Ctrl+C to remove the ip table rules"
echo
while :
do
sleep 1
done
答案3
在尝试了 Atreyu94 的答案和其他一些例子之后,这对我有用:
/etc/redsocks.conf
base {
log_debug = on;
log_info = on;
log = "file:/var/log/redsocks.log";
daemon = on;
redirector = iptables;
}
redsocks {
local_ip = 0.0.0.0;
local_port = 12345;
ip = my.proxy.dns;
port = 3128;
type = http-connect;
login = "myUser";
password = "myPassword";
}
redsocks {
local_ip = 0.0.0.0;
local_port = 12346;
ip = my.proxy.dns;
port = 3128;
type = http-relay;
login = "myUser";
password = "myPassword";
}
执行命令 sudo iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REDSOCKS tcp -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain REDSOCKS (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/8
RETURN all -- 0.0.0.0/0 10.0.0.0/8
RETURN all -- 0.0.0.0/0 100.64.0.0/10
RETURN all -- 0.0.0.0/0 127.0.0.0/8
RETURN all -- 0.0.0.0/0 169.254.0.0/16
RETURN all -- 0.0.0.0/0 172.16.0.0/12
RETURN all -- 0.0.0.0/0 192.168.0.0/16
RETURN all -- 0.0.0.0/0 198.18.0.0/15
RETURN all -- 0.0.0.0/0 224.0.0.0/4
RETURN all -- 0.0.0.0/0 240.0.0.0/4
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 12346
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 12345
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11371 redir ports 12346
正如您在表格中看到的,我将所有 HTTP 流量重定向到 http-relay 端口,我还通过 http-relay 端口重定向端口 11371 的 tcp 流量,我甚至不知道为什么这样做有效,但确实有效。我看到了这种特定的重定向:
https://jmkhael.io/escape-proxy-hell-with-redsocks/
此外,我只重定向 OUTPUT 流量,因为我不是在服务器上工作,而是在我的个人计算机上工作。如果您想将您正在工作的计算机用作某种 nat 网关,您还应该考虑使用 PREROUTING 表。