redsocks

redsocks is a transparent proxy relay solution for those dummy applications that do not support communication via proxy servers. Transparent because the clients will not even notice if this traffic is passed to a proxy. As this solution is working on TCP/UDP layers, this means almost any application’s traffic can be pushed through and forced to use a real  proxy.

To make a clear example, let’s imagine an application which is using an HTTP based API. For such thing it would be a must have feature to support communication via proxy servers – just as a web browser. However in practice I see lot of commercial “product” – which are actually just garbage – without any kind of proxy support. They not even honoring the standard environment variables like “HTTP_PROXY” on Unix/Linux systems. So I have to use a workaround  to be able to use them in a properly separated network.

Of course, there are commercial products like Proxifier, but these are only for Windows and/or MacOS, and non of them are open-source, so these are not a solution for me.

The redsocks is small, fast, and only needs a little packetfilter magic (because of how the iptables works) to make it work:

iptables -I INPUT -i lo -p tcp --dport 8080 -j ACCEPT

Then you need to create a dedicated chain in the nat table, with only one rule:

iptables -t nat -N REDSOCKS
iptables -t nat -I REDSOCKS -p tcp -j REDIRECT --to-port 8080


This will redirect al the traffic to the locally listening redsocks instance. The application itself will forward this traffic to a real proxy defined in it’s config.

To control which packets should be proxyfied, you will need some rules to the OUTPUT chain of the nat table:

iptables -t nat -I OUTPUT -p tcp -d <DST IP> -j REDSOCKS

I assumed that you have an empty packetfilter with  default ACCEPT rules. If you already have a packetfilter in place, then you have to properly integrate these to your solution.

The redsocks itself only needs a very simple configuration (/etc/redsocks.conf) to work:

base {
  daemon = on;
  redirector = iptables;
  log_info=yes;
  log_debug=on;
  log = "syslog:daemon";
}
redsocks {
  local_ip = 127.0.0.1;
  local_port = 8080;
  
  # Proxy
  ip = 192.168.0.1;
  port = 3128;
  type=http-connect;
}

This is a working, but very basic example. The package contains a more detailed example config, worth reading it :)

The original author does not touched this project for a while, however some already pull requested patch (#50, #123) will make it work in any recent distribution/kernel.

In my own forked repository already has those patches, and building is is really simple:

make

For the first try, you should check it’s logs:

sudo journalctl -f -t redsocks &

After you started it:

sudo redsocks -c /etc/redsocks.conf

Of course this is only a very simple example, but if you see what it really does, you can create more sophisticated use cases as well.