heiher/hev-socks5-tproxy

[Question] Forwarding to hev-socks5-tproxy listening on a non-local address (router) doesn't work.

Closed this issue · 2 comments

phantomcraft commented

I installed hev-socks5-tproxy in my router.

The router has the address 192.168.1.1 and my PC has the address 192.168.1.33. Also, I have a local bridge "virbr0" in PC side that forwards traffic to a virtual machine, having it the gateway address 192.168.11.1 and peer address 192.168.11.2.

In the PC side:

ip rule add fwmark 1088 table 100
ip route add local default dev virbr0 table 100
iptables -t mangle -A PREROUTING -i virbr0 -p tcp -j TPROXY -s 192.168.11.2 --on-ip 192.168.0.1 --on-port 1088 --tproxy-mark 1088

When I try to curl any IP in the virtual machine side (192.168.11.2) I get timeouts, seeing the Wireshark logs, any packet is forwarded from my PC to the router.

And when I change the address of "--on-ip" to 127.0.0.1 and run hev-socks5-tproxy locally listening on 127.0.0.1:1088 everything works ok.

How can I make the TPROXY option in iptables "see" the address of the router (192.168.1.1) and connect?

PS.: I don't know if TPROXY was designed to work with non-local addresses when sending the packets, but I searched a lot in Google and I could see examples of TPROXY using non-local addresses, but when I try to reproduce the examples, nothing works.

heiher commented

The TPROXY target keeps the original destination address of IP layer and then redirect to destination address that set by --on-ip. There are two types of destination addresses, one is the original and the other is on-ip. In standard IP protocol stack, These two destination addresses can not be transmitted to non-local host(router), and hev-socks5-tproxy needs the original destination address to communicate with the original destination host. So I don't think it's possible.

How about run hev-socks5-server on router, and run hev-socks5-tproxy on PC?

phantomcraft commented

The TPROXY target keeps the original destination address of IP layer and then redirect to destination address that set by --on-ip. There are two types of destination addresses, one is the original and the other is on-ip. In standard IP protocol stack, These two destination addresses can not be transmitted to non-local host(router), and hev-socks5-tproxy needs the original destination address to communicate with the original destination host. So I don't think it's possible.

How about run hev-socks5-server on router, and run hev-socks5-tproxy on PC?

It's a pity that TPROXY doesn't work with non-local addresses. Closing.

Yep, I will try to run hev-socks5-server on router and hev-socks5-tproxy on my machine.