librelist archives

« back to archive

Re: Question regarding UDP redirection

Re: Question regarding UDP redirection

From:
Bo Bao
Date:
2012-12-03 @ 23:33
Hi All,


I am trying to use redsocks to redirect both TCP and UDP traffic to the SS5
socks server. The tcp works like a charm, but the UDP redirection
configuration has some issues.


What are the dest_ip and dest_port setting in the redudp section?
Does it mean redsocks can only forward all the UDP traffic through the
proxy to one destination?
If so, can I use the OPENVPN with udp mode that go through the proxy?

Thanks in advance.

Re: [redsocks] Re: Question regarding UDP redirection

From:
Leonid Evdokimov
Date:
2012-12-04 @ 17:03
Hi!

First of all - does your S5 really support UDP passthrough? Not every
Socks5 server does.

Second - the "easy" configuration that does not touch ip routing is
really limited to single UDP destination IP:PORT pair.

Third -
you may want to remove dest_port in TPROXY configuration. It does not
affect anything - but the configuration file will be cleaner.

Your configuration of TPROXY is incomplete. E.g. do you apply the
rules to `mangle` table or `nat` table?
Also, you say nothing if you have modified IP routing.

Here are two nice README's about TPROXY, the second one is from
current linux kernel:

https://github.com/darkk/redsocks/blob/master/doc/balabit-TPROXY-README.txt
https://github.com/torvalds/linux/blob/master/Documentation/networking/tproxy.txt

You have to tune both iptables and ip routing for TPROXY to work.

Tell me if it helps :-)

--
WBRBW, Leonid Evdokimov
xmpp:leon@darkk.net.ru && http://darkk.net.ru
tel:+79816800702 && tel:+79050965222

Re: [redsocks] Re: Question regarding UDP redirection

From:
Bo Bao
Date:
2012-12-05 @ 06:46
Hi!



First of all - does your S5 really support UDP passthrough? Not every
> Socks5 server does.
>

I used the SS5 on the other end, so it does support UDP Associate.


> Second - the "easy" configuration that does not touch ip routing is
> really limited to single UDP destination IP:PORT pair.
>

It seems like I have to go with the TPROXY option


>
> Third -
> you may want to remove dest_port in TPROXY configuration. It does not
> affect anything - but the configuration file will be cleaner.
>

I found the 0.4 version and recomplie it, so do I need to keep the dest_ip
still?

Your configuration of TPROXY is incomplete. E.g. do you apply the
> rules to `mangle` table or `nat` table?
> Also, you say nothing if you have modified IP routing.
>
> Here are two nice README's about TPROXY, the second one is from
> current linux kernel:
>
> https://github.com/darkk/redsocks/blob/master/doc/balabit-TPROXY-README.txt
>
> 
https://github.com/torvalds/linux/blob/master/Documentation/networking/tproxy.txt
>
> You have to tune both iptables and ip routing for TPROXY to work.
>
> Tell me if it helps :-
>

Thanks for the articles, I have found those with the iptables configured as
the following:
 :DIVERT - [0:0]
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
-A PREROUTING -p udp -m socket -j DIVERT
-A PREROUTING -p udp  -j TPROXY --tproxy-mark 0x1/0x1 --on-port 10053

Where the 10053 is the listening port of redudp, and I would like to
forward all the udp request to the port
I also ran the ip route command to setup the routing:

ip rule add fwmark 0x1/0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

so the output of the command  ip route ls table 100 is:

local default dev lo  scope host

but all of these doesn't work for udp package redirecting (Since it doesn't
show up on the redsock logs).

I didn't do any redirect to 10053 port just like the tcp protocol, is that
correct?

BTW, just wanna confirm that when using the 0.4 version, the output for udp
package has the same format as the tcp address, is that correct?


Thanks for the help!!!

Re: [redsocks] Re: Question regarding UDP redirection

From:
Leonid Evdokimov
Date:
2012-12-05 @ 19:59
On Wed, Dec 5, 2012 at 10:46 AM, Bo Bao <baobo5625@gmail.com> wrote:
>> Third -
>> you may want to remove dest_port in TPROXY configuration. It does not
>> affect anything - but the configuration file will be cleaner.
>
> I found the 0.4 version and recomplie it, so do I need to keep the dest_ip
> still?

No, default `dest_ip` is 0.0.0.0 and IP like that turns on TPROXY-related code.
https://github.com/darkk/redsocks/blob/master/redudp.c#L169

Also, 0.4 does not have TPROXY support. 0.4-git - does, but it may be
incomplete.

E.g. I've not really well-tested it in terms of MTU-related issues.
I would appreciate your feedback on it.
OpenVPN-over-socks5 using redsocks looks like good testing scenario.

> but all of these doesn't work for udp package redirecting (Since it doesn't
> show up on the redsock logs).

That's strange. I'll try to give you a working example tomorrow. I
have no access to Socks5 server right now, so I'll have to setup it.

> I didn't do any redirect to 10053 port just like the tcp protocol, is that
> correct?

Yes.

> BTW, just wanna confirm that when using the 0.4 version, the output for udp
> package has the same format as the tcp address, is that correct?

I don't understand your question :-(
What do you mean saying "output for udp package" ?

--
WBRBW, Leonid Evdokimov
xmpp:leon@darkk.net.ru && http://darkk.net.ru
tel:+79816800702 && tel:+79050965222

Re: [redsocks] Re: Question regarding UDP redirection

From:
Bo Bao
Date:
2012-12-06 @ 08:53
>
> E.g. I've not really well-tested it in terms of MTU-related issues.
> I would appreciate your feedback on it.
> OpenVPN-over-socks5 using redsocks looks like good testing scenario.
>

I tried with the tencent p2p chatting client called QQ, which has two login
options, one is tcp, the other one is udp.
By that, the udp doesn't work.

>
> > but all of these doesn't work for udp package redirecting (Since it
> doesn't
> > show up on the redsock logs).
>
> That's strange. I'll try to give you a working example tomorrow. I
> have no access to Socks5 server right now, so I'll have to setup it.
>

I did get some output said start UDP relay, but it was unable to make the
communication, maybe the destination address was wrong? I lost the log file
though.

>
> > BTW, just wanna confirm that when using the 0.4 version, the output for
> udp
> > package has the same format as the tcp address, is that correct?
>
> I don't understand your question :-(
> What do you mean saying "output for udp package" ?
>

NVM, I thought the udp may not or have the same debug output as the tcp
connections in 0.4.

Right now, I am running with the tcp sessions only, for udp sessions and
other packages, I used OPENVPN to do the  forwarding.
It seems like the redsocks/ss5 has a higher latency than the openvpn
tunnel, and it is even worth if there are multiple user setup the relay.
Does it have a multi thread option? Since the SS5 can handle 2500
connections at the same time, so I think the issue is in the redsocks side.

Re: Question regarding UDP redirection

From:
Bo Bao
Date:
2012-12-04 @ 00:37
I found the new commit regarding the TPROXY,

I am using CentOS 6, so the TPROXY enabled in the kernel. Also I changed
the configuration file redudp section to
        dest_ip = 0.0.0.0;
        dest_port = 53;
        udp_timeout = 500;
so the  redudp @ xxx.xxx.xxx.xxx:10053: TPROXY appeared on the screen when
I run the redsocks.

But I have some difficulties to configure the iptables. Based on the wiki
page,http://wiki.squid-cache.org/Features/Tproxy4
I used
-A PREROUTING -p udp -m socket -j DIVERT
-A PREROUTING -p udp -j TPROXY --tproxy-mark 0x1/0x1 --on-port 10053
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
to mark the package on port 10053 (where I am listening to)
But it seems like the udp package does not go through the redsocks at all.
When I comment out the TPROXY PREROUTING line in iptables, it said
connection refused when I use some udp app to test the connection.

Any ideas´╝č