librelist archives

redsocks + NAT problem

From:

Liangent

Date:

2011-10-01 @ 11:47

Hi,

Today I'm trying to have my wifi-capable cellphone connected to
my pc by wifi, and access the Internet with NAT (I have only one IP
address on the Internet). So the current network configure on my
pc is:

wlan0: mode=master, ip=192.168.0.1, netmask=255.255.255.0
eth0: ip=(my external ip), ...
dhcp server is enabled on wlan0 and assigning my cellphone
192.168.0.2/netmask255.255.255.0/gateway192.168.0.1
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Now without redsocks, access to the Internet from my cellphone is
fine, then I want my cellphone's connection to make use of redsocks.
According to the manual I should add something like

iptables -t nat -A PREROUTING -p tcp -j REDSOCKS_FILTER

After setting this I cannot connect to hosts which match
REDSOCKS_FILTER on my cellphone anymore. At the same time connections
to REDSOCKS_FILTER hosts on my pc via redsocks look good.

I guess the issue is: when I'm accessing a REDSOCKS_FILTER'ed host
from my cellphone, a (src_ip=192.168.0.2) packet is sent to my pc,
if redsocks does not exist, (-j MASQUERADE) will rewrite the packet to
(src_ip=my external ip). However, the PREROUTING chain, where
REDSOCKS_FILTER resides, is REDIRECT'ing the packet to redsocks, so
its src_ip doesn't get rewritten (normally this is done in POSTROUTING
by (-j MASQUERADE)) before it's sent to the socks proxy server. Since
src_ip is an internal ip (=192.168.0.2), the reply will never come...

Is there a way to resolve this? (=get my cellphone connections
redsocks-proxified on my pc)

-Liangent

Hi Liangent,

Here is my assumption.
You set REDIRECT target for redsocks and it «redirects the packet to
the machine itself by changing the destination IP to the primary
address of the incoming interface», so dst_ip becomes 192.168.0.1.
And default redsocks.conf sets local_ip to 127.0.0.1 - you need to set
it to 0.0.0.0 (any IP) in your case.

If my assumption is wrong, please, post following information:
1. redsocks.conf
2. iptables -t nat -L -vn
3. iptables -L -vn
4. ip addr

--
WBRBW, Leonid Evdokimov
xmpp:leon@darkk.net.ru && http://darkk.net.ru
tel:+79816800702 && tel:+79050965222

On Sun, Oct 2, 2011 at 7:06 PM, Leonid Evdokimov <leon@darkk.net.ru> wrote:
> Hi Liangent,
>
> Here is my assumption.
> You set REDIRECT target for redsocks and it «redirects the packet to
> the machine itself by changing the destination IP to the primary
> address of the incoming interface», so dst_ip becomes 192.168.0.1.
> And default redsocks.conf sets local_ip to 127.0.0.1 - you need to set
> it to 0.0.0.0 (any IP) in your case.
>

Yes, it works now!

Is redsocks able to bind multiple addresses? I don't really hope that
anyone can connect to it...

-Liangent

On Sun, Oct 2, 2011 at 15:17, Liangent <liangent@gmail.com> wrote:
> Is redsocks able to bind multiple addresses? I don't really hope that
> anyone can connect to it...

Yes, you need several redsocks {} sections in redsocks.conf for that.

--
WBRBW, Leonid Evdokimov
xmpp:leon@darkk.net.ru && http://darkk.net.ru
tel:+79816800702 && tel:+79050965222

I guess a better solution for me is blocking connections from external
ips... since wlan0 doesn't always exist in my environment...

On Sun, Oct 2, 2011 at 7:23 PM, Leonid Evdokimov <leon@darkk.net.ru> wrote:
> On Sun, Oct 2, 2011 at 15:17, Liangent <liangent@gmail.com> wrote:
>> Is redsocks able to bind multiple addresses? I don't really hope that
>> anyone can connect to it...
>
> Yes, you need several redsocks {} sections in redsocks.conf for that.
>
> --
> WBRBW, Leonid Evdokimov
> xmpp:leon@darkk.net.ru && http://darkk.net.ru
> tel:+79816800702 && tel:+79050965222
>