Feature Request: Documentation about dynamic UDP redirection

[edir]

Hi there! Thank you very much for UDP-support but actually there is a little lack of documentation about how it works. Darkk wrote that there may be a way to dynamicly redirect udp packets with the help of libnetfilter_conntrack but it would be nice if there would be a howto or an example.

It would be great! Thanks.

[darkk]

libnetfilter_conntrack support is not implemented yet.

Do you need dynamic UDP redirection? Can you tell me a bit more about your use-case?

[edir]

Hi,

actually i am interested in playing games over a socks5 proxy. I know that the firewall has to let TCP and UDP thru and this is in my case not a problem. The idea is to collect connection from the lan and tunnel them thru the proxyserver.

Another case i had was the problem, that a virtual maschine could not connect to a specific dns-server and was not able to do ntp.

The main problem is, that i dont know in advance which destination and which port will be used. It would be quite nice, if it would be possible to redirect all traffic, that is not directed to your local net thru a proxy.

[edir]

To be more detailed: Some applications, especially from cisco, require a NTP-Server. If they cannot reach the ntp-server, they wont install. Virtualbox nor VMWare Server is able to redirect over Socks5.

Btw: Seems that i closed the issue by error??

[darkk]

https://github.com/darkk/redsocks/commit/709646d59d96cb73a7e70347f37de9823e4e5f14 - initial support for dynamic UDP redirection was commited to master.

[pencil]

I would like to redirect all TCP and UDP traffic through redsocks (v0.4). I came up with the following iptables command:

iptables -t nat -N REDSOCKS
iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d $SOCKS_SERVER_IP/32 -j RETURN
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
iptables -t nat -A REDSOCKS -p udp -j REDIRECT --to-ports 12346
iptables -t nat -A OUTPUT -p tcp -j REDSOCKS
iptables -t nat -A OUTPUT -p udp -j REDSOCKS

While the TCP redirection does work (Yay! \o/), the UDP redirection does not (connection time out). I can see the following log entries on the server side (running Dante as SOCKS5 server):

Nov  7 15:36:53 server danted[14898]: pass(1): tcp/accept [: $EXTERNAL_CLIENT_IP.6058 -> $SOCKS_SERVER_IP.1080
Nov  7 15:36:54 server danted[14899]: pass(2): udp/udpassociate [: 0.0.0.0.0 -> 0.0.0.0.0

And the redsocks log on the client reads like this:

Nov  7 15:36:52 client redsocks[3043]: [10.255.77.143:53948->127.0.0.1:0]: <trace>
Nov  7 15:36:52 client redsocks[3043]: [10.255.77.143:53948->127.0.0.1:0]: got 1st packet from client
Nov  7 15:36:53 client redsocks[3043]: [10.255.77.143:53948->127.0.0.1:0]: <trace>
Nov  7 15:36:54  client[3043]: last message repeated 2 times
Nov  7 15:36:54 client redsocks[3043]: [10.255.77.143:53948->127.0.0.1:0]: Starting UDP relay
Nov  7 15:37:27 client redsocks[3043]: [10.255.77.143:53948->127.0.0.1:0]: Client timeout. First: 1383835012, last_client: 1383835017, last_relay: 0.
Nov  7 15:37:27 client redsocks[3043]: [10.255.77.143:53948->127.0.0.1:0]: Dropping...

@darkk: What's the status of UDP redirection? Are there any configuration examples?

[Evengard]

Seems like there is some working UDP redirection with using TPROXY, but I just can't get how to configure the system to make it work? Can you give information about which iptables rules and ip commands should be used (as an example)?

[akamensky]

It's been 8 years since this issue has been open and 4 years since last comment. Did anyone have any success with TPROXY configuration? Any working example? The docs here seriously lack on that side. Only config available for TCP (which is trivial anyway).

[swex]

Are there any news here?

[ge9]

UDP redirection (to any destination) does work for locally-generated packets and incoming packets. It only works with TPROXY, not REDIRECT. I'll add some example in the future.