redsocks

gexc's picture
Submitted by gexc on Wed, 2014/05/14 - 20:31
Rating: 
0
No votes yet

See http://talk.maemo.org/showthread.php?t=92703 for instructions

Dependency: https://openrepos.net/content/nieldk/libevent

---------

This tool allows you to redirect any TCP connection to SOCKS or HTTPS proxy using your firewall, so redirection is system-wide.

Why is that useful? I can suggest following reasons:

  • you use tor and don't want any TCP connection to leak
  • you use DVB ISP and this ISP provides internet connectivity with some special daemon that may be also called "Internet accelerator" and this accelerator acts as proxy. Globax is example of such an accelerator

Linux/iptables, OpenBSD/pf and FreeBSD/ipfw are supported. Linux/iptables is well-tested, other implementations may have bugs, your bugreports are welcome.

Transocks is alike project but it has noticable performance penality.

Transsocks_ev is alike project too, but it has no HTTPS-proxy support and does not support authentication.

Several Andoird apps also use redsocks under-the-hood: ProxyDroid (@AndroidMarket) and sshtunnel (@AndroidMarket). And that's over 100'000 downloads! Wow!

Another related issue is DNS over TCP. Redsocks includes `dnstc' that is fake and really dumb DNS server that returns "truncated answer" to every query via UDP. RFC-compliant resolver should repeat same query via TCP in this case - so the request can be redirected using usual redsocks facilities.

Known compliant resolvers are:

  • bind9 (server)
  • dig, nslookup (tools based on bind9 code)

Known non-compliant resolvers are:

  • eglibc resolver fails without any attempt to send request via TCP
  • powerdns-recursor can't properly startup without UDP connectivity as it can't load root hints

On the other hand, DNS via TCP using bind9 may be painfully slow. If your bind9 setup is really slow, you have at least two options: pdnsd caching server can run in TCP-only mode, ttdnsd (git repo) has no cache but can be useful for same purpose.

Features

Redirect any TCP connection to SOCKS4, SOCKS5 or HTTPS (HTTP/CONNECT) proxy server.

Login/password authentication is supported for SOCKS5/HTTPS connections. SOCKS4 supports only username, password is ignored. for HTTPS, currently only Basic and Digest scheme is supported.

Redirect UDP packets via SOCKS5 proxy server. NB: UDP still goes via UDP, so you can't relay UDP via OpenSSH.

Sends "truncated reply" as an answer to UDP DNS queries.

Redirect any HTTP connection to proxy that does not support transparent proxying (e.g. old SQUID had broken `acl myport' for such connections).

Category:

Keywords:

Application versions: 
AttachmentSizeDate
File redsocks-0.4-0.armv7hl.rpm35 KB14/05/2014 - 20:31