[Question] How can I forward traffic across network namespaces with hev-socks5-tproxy?

Question

[Question] How can I forward traffic across network namespaces with hev-socks5-tproxy?

phantomcraft opened this issue 2 years ago · 8 comments

I'm trying to forward traffic across namespaces, basically I set up a transparent proxy inside a network namespace and forward the traffic to another one.

I create namespaces and set up all the rest with:

ip netns add nsx
ip netns add nsy
ip link add vethx type veth peer name peerx netns nsx
ip link set vethx up
ip address add 10.0.0.1/24 dev vethx
ip netns exec nsx ip link set peerx up
ip netns exec nsx ip address add 10.0.0.2/24 dev peerx
ip netns exec nsx ip link add vethy type veth peer name peery netns nsy
ip netns exec nsx ip link set vethy up
ip netns exec nsx ip address add 10.0.1.1/24 dev vethy
ip netns exec nsx sysctl -w net.ipv4.conf.peerx.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.conf.vethy.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.ip_forward=1
ip netns exec nsy ip link set peery up
ip netns exec nsy ip address add 10.0.1.2/24 dev peery
ip netns exec nsy ip route add default via 10.0.1.1 dev peery

Rules are added in the network namespace "nsx":

ip netns exec nsx ip rule add fwmark 1088 table 100
ip netns exec nsx ip route add local default dev vethy table 100

Iptables rule is added:

ip netns exec nsx iptables -t mangle -A PREROUTING -i vethy -p tcp -j TPROXY -s 10.0.1.2 --on-ip 10.0.0.1 --on-port 19040 --tproxy-mark 1088

But when I try to connect I get this:

root@localhost:/home/user# dig @1.1.1.1 duckduckgo.com
; <<>> DiG 9.18.1-1-Debian <<>> @1.1.1.1 duckduckgo.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

============================

So, what can be done to make the connection be made successfully?

Answer 1 · 2022-07-20T03:44:52.000Z

Did you want to redirect all traffic of nsy to host by nsx? and then forward to internet by host? Which is running hev-socks5-tproxy?

Answer 2 · 2022-07-20T03:59:39.000Z

I want to redirect traffic from nsy through nsx reaching hev-socks5-tproxy in the host side. I'm running hev-socks5-tproxy in the host side.

nsy ---> nsx --> hev-socks5-tproxy

Answer 3 · 2022-07-20T04:58:30.000Z

I think the key point is bidirectional routing between of nsy and host side. For forward path, The tproxy can redirect traffic if and only if packets from nsy are routed to host. and backward path, The host and nsx needs how to route to nsy.

Answer 4 · 2022-07-20T14:22:17.000Z

This is the point, perhaps some Iptables rule which I don't know should be added, so that it can make TPROXY in the mangle table see the address of "vethx" 10.0.0.1.

I tried to add this rule:

iptables -t nat -A POSTROUTING -p tcp -s 10.0.0.0/24 -d 10.0.0.0/24 --dport 19040 -j SNAT --to-source 10.0.0.2

/\ It not helped.

Any help welcome.

Answer 5 · 2022-07-21T03:45:41.000Z

There is an example showing how to set, the point is route rules that how to routing to 1.0.1.0/24 from host side and routing to 1.0.0.0/24 from nsx.

On Host side:

ip netns add nsx
ip netns add nsy
ip link add vethx type veth peer name peerx netns nsx
ip link set vethx up
ip address add 10.0.0.1/24 dev vethx

ip route add 10.0.1.0/24 via 10.0.0.2 dev vethx

ip netns exec nsx ip link set peerx up
ip netns exec nsx ip address add 10.0.0.2/24 dev peerx
ip netns exec nsx ip link add vethy type veth peer name peery netns nsy
ip netns exec nsx ip link set vethy up
ip netns exec nsx ip address add 10.0.1.1/24 dev vethy

ip netns exec nsx ip route add default via 10.0.0.1 dev peerx

ip netns exec nsx sysctl -w net.ipv4.conf.peerx.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.conf.vethy.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.ip_forward=1
ip netns exec nsy ip link set peery up
ip netns exec nsy ip address add 10.0.1.2/24 dev peery
ip netns exec nsy ip route add default via 10.0.1.1 dev peery

On Host side:

ip rule add fwmark 1088 table 100
ip route add local default dev vethx table 100

On Host side:

iptables -t mangle -A PREROUTING -i vethx -p tcp -j TPROXY --on-port 1088 --tproxy-mark 1088

Run hev-socks5-tproxy on Host side:

hev-socks5-tproxy main.yml

main.yml:

socks5:
  port: [UPSTREAM SOCKS5 SERVER PORT]
  address: '[UPSTREAM SOCKS5 SERVER ADDR]

tcp:
  port: 1088
  address: '::'

udp:
  port: 1088
  address: '::'

Now on nsy side:

# curl -i http://1.1.1.1
HTTP/1.1 301 Moved Permanently
Server: cloudflare
Date: Thu, 21 Jul 2022 03:40:28 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Location: https://1.1.1.1/
CF-RAY: 72e0ea579eaba05d-SIN

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>

Answer 6 · 2022-07-22T00:07:15.000Z

There is an example showing how to set, the point is route rules that how to routing to 1.0.1.0/24 from host side and routing to 1.0.0.0/24 from nsx.

On Host side:

ip netns add nsx
ip netns add nsy
ip link add vethx type veth peer name peerx netns nsx
ip link set vethx up
ip address add 10.0.0.1/24 dev vethx

ip route add 10.0.1.0/24 via 10.0.0.2 dev vethx

ip netns exec nsx ip link set peerx up
ip netns exec nsx ip address add 10.0.0.2/24 dev peerx
ip netns exec nsx ip link add vethy type veth peer name peery netns nsy
ip netns exec nsx ip link set vethy up
ip netns exec nsx ip address add 10.0.1.1/24 dev vethy

ip netns exec nsx ip route add default via 10.0.0.1 dev peerx

ip netns exec nsx sysctl -w net.ipv4.conf.peerx.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.conf.vethy.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.ip_forward=1
ip netns exec nsy ip link set peery up
ip netns exec nsy ip address add 10.0.1.2/24 dev peery
ip netns exec nsy ip route add default via 10.0.1.1 dev peery

On Host side:

ip rule add fwmark 1088 table 100
ip route add local default dev vethy table 100

On Host side:

iptables -t mangle -A PREROUTING -i vethx -p tcp -j TPROXY --on-port 1088 --tproxy-mark 1088

Run hev-socks5-tproxy on Host side:

hev-socks5-tproxy main.yml

main.yml:

socks5:
  port: [UPSTREAM SOCKS5 SERVER PORT]
  address: '[UPSTREAM SOCKS5 SERVER ADDR]

tcp:
  port: 1088
  address: '::'

udp:
  port: 1088
  address: '::'

Now on nsy side:

# curl -i http://1.1.1.1
HTTP/1.1 301 Moved Permanently
Server: cloudflare
Date: Thu, 21 Jul 2022 03:40:28 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Location: https://1.1.1.1/
CF-RAY: 72e0ea579eaba05d-SIN

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>

root@localhost:/home/user# ip route add local default dev vethy table 100
Cannot find device "vethy"

Did you mean vethx? I tested with "vethx" instead of "vethy" and still doesn't work (connection is not made).

Answer 7 · 2022-07-22T03:13:36.000Z

Did you mean vethx? I tested with "vethx" instead of "vethy" and still doesn't work (connection is not made).

Yes, a typo, It's vethx. This example is works fine on my system.

Can you receive icmp response on nsy?

nsy:

ping -n 10.0.0.1

Answer 8 · 2022-07-22T18:28:37.000Z

Yes.

root@localhost:/home/user# ip netns exec nsy ping -n 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=0.040 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=0.036 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=63 time=0.043 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=63 time=0.042 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=63 time=0.039 ms
^C
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4033ms
rtt min/avg/max/mdev = 0.036/0.040/0.043/0.002 ms

I tested again your example, it works now, I don't know why it was not working yesterday.

I believe my question is answered, thank you very much for the support.