Redirect all local traffic to shadow-socks proxy

Question

Iptables reroute to shadowsocks

I have ubuntu 20.04 vps with shadow-socks server on it.

I also have ubuntu 20.04 on my pc, with shadow-socks client running on it. Currently using shadow-socks-libev version.

---

The goal is to redirect all requests to 127.0.0.1:1080, where proxy client is running.

I followed recommendations from this question and this blog, where the answer is pointing to. Also saw this qna.

However, nothing made it work for me.

---

Steps I made

I. I created admin user for running shadow socks client only.

II. I made systemd unit to start client on boot from separate user, content of file listed below:

[Unit]
Description=SahdowSocks
After=network.target
After=network-online.target
[Service]
ExecStart=ss-local -c /etc/shadowsocks-client/config.json
Restart=on-failure
User=socks_user
Group=socks_user
[Install]
WantedBy=multi-user.target 

At this point if I'm setting 127.0.0.1:1080 in my browser (firefox) as a socks5 proxy - it works fine.

III. Then I made iptables rules, according to the links above.

sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 80 -j REDIRECT --to-port 1080
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 443 -j REDIRECT --to-port 1080

After that, I can still use the browser if connected directly to the proxy through settings, but after switching to no proxy/system proxy - getting request timeout. All other apps also have no connection.

̶*̶J̶u̶s̶t̶ ̶t̶o̶ ̶m̶e̶n̶t̶i̶o̶n̶,̶ ̶i̶f̶ ̶I̶ ̶d̶o̶ ̶p̶i̶n̶g̶ ̶t̶o̶ ̶1̶.̶1̶.̶1̶.̶1̶ ̶i̶t̶ ̶r̶e̶t̶u̶r̶n̶s̶ ̶f̶i̶n̶e̶ (Got answer in the comments.)

*If I do wget http://someurl it ends with no result.

So I assume I'm getting reroute loop (?), but don't understand why.

Answer 1

The problem is that iptables should only redirect traffic to shadowsocks if shadowsocks is running. Whether shadowsocks is running is not something iptables can check, since iptables only handles traffic packets. Instead, a script is needed to handles the shadowsocks service and iptables rules. - This is the spirit of managing a linux, by the way.

An example of a script for handling shadowsocks and iptables:

#!/bin/bash
start_service() {
    service shadowsocks_libev start
}
stop_service() {
    service shadowsocks_libev stop
}
start_iptables() {
    iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 80 -j REDIRECT --to-port 1080
    iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 443 -j REDIRECT --to-port 1080
}
stop_iptables() {
    # Remove iptables rules
}
show_help() {
    echo "usage: $0 start|stop|restart"
}
start() {
    echo "start ..."
    start_service
    start_iptables
    echo "start end"
}
stop() {
    echo "stop ..."
    stop_iptables
    stop_service
    echo "stop end"
}
restart() {
    stop
    sleep 1
    start
}
main() {
    if [ $# -ne 1 ]; then
        show_help
        return 1
    fi
for funcname in "$@"; do
    if [ "$(type -t $funcname)" != 'function' ]; then
        show_help
        return 1
    fi
done

for funcname in "$@"; do
    $funcname
done
return 0

}
main "$@"

- This example is based on a script from shadowsocks.

Iptables can be managed with -A append, -I insert and -D delete.

• https://linux.die.net/man/8/iptables
• https://stackoverflow.com/questions/10197405/how-can-i-remove-specific-rules-from-iptables

Answer 2

You will need to use a TCP to proxy forwarder service and set up your IP tables accordingly.

I am planning to use REDSOCKS as the forwarding service. https://github.com/darkk/redsocks

Here is how I managed this. I set up an EC2 instance running ShadowSocks. In my UDM PRO I am running ShadowSocks as the client and have provisioned a local Socks5 server running on 129.168.1.1:1080

Then I am running REDSOCKS in the UDM PRO and pointing it to my local socks 5 server.

Next in the UDM IPTABLES, I am setting up the rules as mentioned here. https://github.com/darkk/redsocks

Since I am looking to direct all traffic from 1 computer on the network to the proxy I have enabled this rule in the UDM.

iptables -t nat -A PREROUTING -s 192.168.1.118 -j REDSOCKS

If you want to route specific apps, then you can get the port number and set your port as the selector.