Redirect all local traffic to shadow-socks proxy

Iptables reroute to shadowsocks

I have ubuntu 20.04 vps with shadow-socks server on it.

I also have ubuntu 20.04 on my pc, with shadow-socks client running on it. Currently using shadow-socks-libev version.


The goal is to redirect all requests to 127.0.0.1:1080, where proxy client is running.

I followed recommendations from this question and this blog, where the answer is pointing to. Also saw this qna.

However, nothing made it work for me.


Steps I made

I. I created admin user for running shadow socks client only.

II. I made systemd unit to start client on boot from separate user, content of file listed below:

[Unit]
Description=SahdowSocks
After=network.target
After=network-online.target

[Service]
ExecStart=ss-local -c /etc/shadowsocks-client/config.json
Restart=on-failure
User=socks_user
Group=socks_user

[Install]
WantedBy=multi-user.target 

At this point if I'm setting 127.0.0.1:1080 in my browser (firefox) as a socks5 proxy - it works fine.

III. Then I made iptables rules, according to the links above.

sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 80 -j REDIRECT --to-port 1080
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 443 -j REDIRECT --to-port 1080

After that, I can still use the browser if connected directly to the proxy through settings, but after switching to no proxy/system proxy - getting request timeout. All other apps also have no connection.

?*?J?u?s?t? ?t?o? ?m?e?n?t?i?o?n?,? ?i?f? ?I? ?d?o? ?p?i?n?g? ?t?o? ?1?.?1?.?1?.?1? ?i?t? ?r?e?t?u?r?n?s? ?f?i?n?e? (Got answer in the comments.)

*If I do wget http://someurl it ends with no result.

So I assume I'm getting reroute loop (?), but don't understand why.

Answers 1

  • Iptables rules should only redirect traffic to shadowsocks if shadowsocks is running. This is not something that is done with iptables as it only handles traffic packets. Instead, a script is needed to control the shadowsocks service and iptables rules.

    An example of a script for handling shadowsocks and iptables:

    #!/bin/bash
    
    start_service() {
        service shadowsocks_libev start
    }
    
    stop_service() {
        service shadowsocks_libev stop
    }
    
    start_iptables() {
        iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 80 -j REDIRECT --to-port 1080
        iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner socks_user --dport 443 -j REDIRECT --to-port 1080
    }
    
    stop_iptables() {
        # Remove iptables rules
    }
    
    show_help() {
        echo "usage: $0 start|stop|restart"
    }
    
    start() {
        echo "start ..."
        start_service
        start_iptables
        echo "start end"
    }
    
    stop() {
        echo "stop ..."
        stop_iptables
        stop_service
        echo "stop end"
    }
    
    restart() {
        stop
        sleep 1
        start
    }
    
    main() {
        if [ $# -ne 1 ]; then
            show_help
            return 1
        fi
    
        for funcname in "[email protected]"; do
            if [ "$(type -t $funcname)" != 'function' ]; then
                show_help
                return 1
            fi
        done
    
        for funcname in "[email protected]"; do
            $funcname
        done
        return 0
    }
    main "[email protected]"
    

    - This example is based on a script from shadowsocks.

    Iptables can be managed with -A append, -I insert and -D delete.


Related Questions