redsocks is a transparent proxy relay solution for those dummy applications that do not support communication via proxy servers. Transparent because the clients will not even notice if this traffic is passed to a proxy. As this solution is working on TCP/UDP layers, this means almost any application’s traffic can be pushed through and forced to use a real proxy.
To make a clear example, let’s imagine an application which is using an HTTP based API. For such thing it would be a must have feature to support communication via proxy servers – just as a web browser. However in practice I see lot of commercial “product” – which are actually just garbage – without any kind of proxy support. They not even honoring the standard environment variables like “HTTP_PROXY” on Unix/Linux systems. So I have to use a workaround to be able to use them in a properly separated network.
Of course, there are commercial products like Proxifier, but these are only for Windows and/or MacOS, and non of them are open-source, so these are not a solution for me.
The redsocks is small, fast, and only needs a little packetfilter magic (because of how the iptables works) to make it work:
iptables -I INPUT -i lo -p tcp --dport 8080 -j ACCEPT
Then you need to create a dedicated chain in the nat table, with only one rule:
iptables -t nat -N REDSOCKS iptables -t nat -I REDSOCKS -p tcp -j REDIRECT --to-port 8080
This will redirect al the traffic to the locally listening redsocks instance. The application itself will forward this traffic to a real proxy defined in it’s config.
To control which packets should be proxyfied, you will need some rules to the OUTPUT chain of the nat table:
iptables -t nat -I OUTPUT -p tcp -d <DST IP> -j REDSOCKS
I assumed that you have an empty packetfilter with default ACCEPT rules. If you already have a packetfilter in place, then you have to properly integrate these to your solution.
The redsocks itself only needs a very simple configuration (/etc/redsocks.conf) to work:
base { daemon = on; redirector = iptables; log_info=yes; log_debug=on; log = "syslog:daemon"; } redsocks { local_ip = 127.0.0.1; local_port = 8080; # Proxy ip = 192.168.0.1; port = 3128; type=http-connect; }
This is a working, but very basic example. The package contains a more detailed example config, worth reading it :)
The original author does not touched this project for a while, however some already pull requested patch (#50, #123) will make it work in any recent distribution/kernel.
In my own forked repository already has those patches, and building is is really simple:
make
For the first try, you should check it’s logs:
sudo journalctl -f -t redsocks &
After you started it:
sudo redsocks -c /etc/redsocks.conf
Of course this is only a very simple example, but if you see what it really does, you can create more sophisticated use cases as well.