Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Setup iptables for RedSocks in OpenWRT
base {
// debug: connection progress & client list on SIGUSR1
log_debug = on;
// info: start and end of client session
log_info = on;
/* possible `log' values are:
* stderr
* file:/path/to/file
* syslog:FACILITY facility is any of "daemon", "local0"..."local7"
*/
log = stderr;
// detach from console
daemon = off;
/* Change uid, gid and root directory, these options require root
* privilegies on startup.
* Note, your chroot may requre /etc/localtime if you write log to syslog.
* Log is opened before chroot & uid changing.
*/
// user = nobody;
// group = nobody;
// chroot = "/var/chroot";
/* possible `redirector' values are:
* iptables - for Linux
* ipf - for FreeBSD
* pf - for OpenBSD
* generic - some generic redirector that MAY work
*/
redirector = iptables;
}
redsocks {
/* `local_ip' defaults to 127.0.0.1 for security reasons,
* use 0.0.0.0 if you want to listen on every interface.
* `local_*' are used as port to redirect to.
*/
local_ip = 0.0.0.0;
local_port = 12345;
// `ip' and `port' are IP and tcp-port of proxy-server
ip = 127.0.0.1;
port = 1080;
// known types: socks4, socks5, http-connect, http-relay
type = socks5;
// login = "foobar";
// password = "baz";
}
redudp {
// `local_ip' should not be 0.0.0.0 as it's also used for outgoing
// packets that are sent as replies - and it should be fixed
// if we want NAT to work properly.
local_ip = 127.0.0.1;
local_port = 10053;
// `ip' and `port' of socks5 proxy server.
ip = 127.0.0.1;
port = 1080;
//login = username;
//password = pazzw0rd;
// kernel does not give us this information, so we have to duplicate it
// in both iptables rules and configuration file. By the way, you can
// set `local_ip' to 127.45.67.89 if you need more than 65535 ports to
// forward ;-)
// This limitation may be relaxed in future versions using contrack-tools.
dest_ip = 8.8.8.8;
dest_port = 53;
udp_timeout = 30;
udp_timeout_stream = 180;
}
// you can add more `redsocks' and `redudp' sections if you need.
# at terminal 1
ssh -D1080 username@server -p443
# at terminal 2
./redsocks -c redsocks.conf
# no log texts appear after running redsocks!!
# at terminal 3
. setup-iptables.sh
# all runs fine
# at terminal 4: minicom tty via serial port
# a bunch of LOGs from iptables appear
# Create new chain
iptables -t nat -X REDSOCKS
iptables -t nat -N REDSOCKS
# Ignore LANs and some other reserved addresses.
iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.10.1.0/22 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
#iptables -t nat -A REDSOCKS -d 122.248.x.x/31 -j RETURN
iptables -t nat -A REDSOCKS -j LOG -p tcp --syn --log-level info --log-prefix "rs "
# Anything else should be redirected to port 12345
#iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
iptables -t nat -A REDSOCKS -p tcp -j DNAT --to-destination 127.0.0.1:12345
iptables -t nat -A REDSOCKS -j LOG -p tcp --syn --log-level info --log-prefix "err "
# Any tcp connection made by `darkk' should be redirected.
iptables -t nat -I OUTPUT 1 -p tcp -j REDSOCKS
iptables -t nat -I PREROUTING 1 -p tcp -s 192.168.1.0/22 -j REDSOCKS
@hillz1
Copy link

hillz1 commented Mar 26, 2016

I get a dns leaking problem with this iptables configuration, I have an ssh account from singapore that I use for an ssh tunnel but after I check by going to https://dnsleaktest.com/ My DNS is still the DNS of my own country, it should come from singapore, the same country of my ssh tunnel, how can I fix that? I'm also running openwrt.

@PR0PH3CY33
Copy link

PR0PH3CY33 commented Dec 1, 2021

dns is udp and these iptables rules are explicitly for tcp. you need to provide for -p udp also for the udp queries including dns to be tunneled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment