Redirect all local traffic to shadow-socks proxy

Iptables reroute to shadowsocks

I have ubuntu 20.04 vps with shadow-socks server on it.

I also have ubuntu 20.04 on my pc, with shadow-socks client running on it. Currently using shadow-socks-libev version.

The goal is to redirect all requests to, where proxy client is running.

I followed recommendations from this question and this blog, where the answer is pointing to. Also saw this qna.

However, nothing made it work for me.

Steps I made

I. I created admin user for running shadow socks client only.

II. I made systemd unit to start client on boot from separate user, content of file listed below:


ExecStart=ss-local -c /etc/shadowsocks-client/config.json


At this point if I'm setting in my browser (firefox) as a socks5 proxy - it works fine.

III. Then I made iptables rules, according to the links above.

sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 80 -j REDIRECT --to-port 1080
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 443 -j REDIRECT --to-port 1080

After that, I can still use the browser if connected directly to the proxy through settings, but after switching to no proxy/system proxy - getting request timeout. All other apps also have no connection.

?*?J?u?s?t? ?t?o? ?m?e?n?t?i?o?n?,? ?i?f? ?I? ?d?o? ?p?i?n?g? ?t?o? ?1?.?1?.?1?.?1? ?i?t? ?r?e?t?u?r?n?s? ?f?i?n?e? (Got answer in the comments.)

*If I do wget http://someurl it ends with no result.

So I assume I'm getting reroute loop (?), but don't understand why.

Answers 1

  • Iptables rules should only redirect traffic to shadowsocks if shadowsocks is running. This is not something that is done with iptables as it only handles traffic packets. Instead, a script is needed to control the shadowsocks service and iptables rules.

    An example of a script for handling shadowsocks and iptables:

    start_service() {
        service shadowsocks_libev start
    stop_service() {
        service shadowsocks_libev stop
    start_iptables() {
        iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 80 -j REDIRECT --to-port 1080
        iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 443 -j REDIRECT --to-port 1080
    stop_iptables() {
        # Remove iptables rules
    show_help() {
        echo "usage: $0 start|stop|restart"
    start() {
        echo "start ..."
        echo "start end"
    stop() {
        echo "stop ..."
        echo "stop end"
    restart() {
        sleep 1
    main() {
        if [ $# -ne 1 ]; then
            return 1
        for funcname in "[email protected]"; do
            if [ "$(type -t $funcname)" != 'function' ]; then
                return 1
        for funcname in "[email protected]"; do
        return 0
    main "[email protected]"

    - This example is based on a script from shadowsocks.

    Iptables can be managed with -A append, -I insert and -D delete.

Related Questions