librelist archives

« back to archive

Configure RedSocks for some traffic only

Configure RedSocks for some traffic only

From:
José Luis Segura Lucas
Date:
2012-05-29 @ 11:13
Hi all!

I'm very surprised with redsocks. I'm beginning to do some tests (I'm
not very experienced with iptables and it is a little mess up fort me
now :-D)

I want to redirect some traffic through my SOCKS5 proxy. I only need to
proxy the traffic related to my company intranet.

Now, I use a proxy socks5 on my home server and use Firefox proxy
configuration (using FoxyProxy extension and regular expressions) for
send to the SOCKS5 proxy some traffic and not other.

My problem is that my company have two services that doesn't like the
SOCKS5 proxy, and I expect that using redsocks could help me.

I understand (or I think so) the -t nat REDSOCKS rules (avoiding private
IP networks to be sent over the proxy), but I think that I can create
some rules for -t nat OUTPUT to send only the traffic that is necessary
over the proxy (I can sent most of my traffic over my own network
connection).

Imagine that I need to access to the IP 200.200.200.201 (for example). I
added the following rule to iptables:

iptables -t nat -A OUTPUT -p all -d 200.200.200.201 -j REDSOCKS

Is it ok?

In the other hand, how can I check that redsocks is working properly?
I'm using Debian and I have modified the default configuration file for
using my actual SOCKS5 proxy (changes IP and port).

Do I need the redudp and dnstc sections of the config file?

Thanks in advance.

P.S. How can I subscribe to this list?

-- 
José Luis Segura Lucas



Re: [redsocks] Configure RedSocks for some traffic only

From:
Leonid Evdokimov
Date:
2012-06-06 @ 09:58
On Tue, May 29, 2012 at 3:13 PM, José Luis Segura Lucas
<josel.segura@gmx.es> wrote:
> My problem is that my company have two services that doesn't like the
> SOCKS5 proxy, and I expect that using redsocks could help me.

Well, redsocks can't affect services, it can only add "go through
proxy" feature to software that does not have it.


> Imagine that I need to access to the IP 200.200.200.201 (for example). I
> added the following rule to iptables:
>
> iptables -t nat -A OUTPUT -p all -d 200.200.200.201 -j REDSOCKS
>
> Is it ok?

`-p all` makes little sense, redsocks can redirect only TCP and UDP,
but it should work. Moreover, you're perfectly right, whole point of
separate REDSOCKS chain is avoidance of breaking LAN connectivity. I
prefer per-user or per-group redirection, that's why I don't want to
duplicate this "avoid LAN" filter over and over again.

If your enterprise uses private IPs - feel free to modify this ad-hoc example :)


> In the other hand, how can I check that redsocks is working properly?
> I'm using Debian and I have modified the default configuration file for
> using my actual SOCKS5 proxy (changes IP and port).

The easiest way is to set "log_info = on" and look at log file.


> Do I need the redudp and dnstc sections of the config file?

Probably, no. redudp is for UDP redirection (think about DNS, VoIP,
video streaming) and dnstc is trivial half-broken solution for DNS
over TCP.


--
WBRBW, Leonid Evdokimov
xmpp:leon@darkk.net.ru && http://darkk.net.ru
tel:+79816800702 && tel:+79050965222