darkk
detect `iptables` loops
It may be possible to write some trivial code checking if the connection is loop connection from redsocks daemon back to itself.
It may help users to avoid bugs like #108 caused by loop in iptables ruleset.
That may be not trivial because of proxy chaining use-case described in #18.
Hi @darkk, I am using Redsocks on Openwrt. I have same issue, but on Openwrt is single user system, so I can't run Redsocks using different user and can't match traffic using owner.
Here is my iptables rules:
iptables -t nat -N REDSOCKS
# Don't proxy local or private traffic
iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 192.0.0.0/16 -j RETURN
# Send everything else through the redsocks daemon
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports $REDSOCKS_PORT
iptables -t nat -A PREROUTING -i br-lan -p tcp -j REDSOCKS
How can I change it to avoid loop?
Hi @animer3009
As far as I understand, OpenWRT is not really a single-user system. There are several users in /etc/passwd and /etc/shadow and users might be added. E.g. I use the following script as "autossh" replacement and it runs ssh binary as network user: https://gist.github.com/darkk/9c71252357d3d422661ae39d340ca22a
I hope, this example is useful.
Also, I'd suggest to consider using VPN instead of TCP-proxy like redsocks, if that's possible. It'll likely give way better performance.