0

I have a UDM PRO 192.168.1.1 running ShadowSocks on 192.168.1.1:1080.

Here is what I am trying to do.

  1. I would to know the IPTABLES rules for a computer on my network 192.168.1.100 to route all traffic to the ShadowSocks Server. Eg. All traffic from my computer should only go to the ShadowSocks Server.

  2. I would like to send traffic on a particular port say 5036 to the ShadowSocks Server. This means that any device on this network that tries to use 5036 should get routed to the ShadowSocks server. Eg. Any device on my network using a particular app should be routed to the ShadowSocks Server.

I am trying to apply these rules to the UDM PRO IPTABELS via SSH.

Basil Abbas
  • 201
  • 2
  • 3
  • Unless I'm mistaken, shadowsocks exposes a socks5 proxy. This means you need to encapsulate data in the socks5 protocol to use it and cannot simply redirect traffic to it using iptables. – user2313067 Jan 29 '22 at 16:49
  • The ShadowSocks client installed in the UDM has the local server running that redirects all traffic from 192.168.1.1:1080 to an external AWS instance for unrestricted internet access. So what would be the best option to do this? How do the phone apps simply forward all traffic when you turn on the ShadowSocks client app? – Basil Abbas Jan 29 '22 at 19:43
  • The apps can implement the shadowsocks protocol themselves and forward traffic through it, or encapsulate the traffic in socks and send it to the client. The standard client only seems to support socks5, however shadowsocks-rust (https://github.com/shadowsocks/shadowsocks-rust) has support for tproxy, which can be used with iptables. It depends on the client you're running. – user2313067 Jan 29 '22 at 22:18
  • Interesting. This makes sense now. In that case how would I set the IPTABLES assuming that I am using shadowsocks-rust? – Basil Abbas Jan 30 '22 at 15:35
  • Assuming the tproxy server is on port 1080, something like `iptables -t mangle -A PREROUTING -p TCP --dport 5036 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 1080` would redirect trafic to tcp port 5036 to shadowsocks. `iptables -t mangle -A PREROUTING -s 192.168.1.100 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 1080` would redirect all traffic from 192.168.1.100 to shadowsocks. Note that you'll probably need to follow the first part of https://www.kernel.org/doc/html/latest/networking/tproxy.html before redirecting traffic. I haven't played with tproxy in a while so this might need some debugging. – user2313067 Jan 30 '22 at 16:28
  • I got this to work. The solution is to run a TCP to SOCKS5 service REDSOCKS https://github.com/darkk/redsocks REDSOCKS is setup in the UDM PRO and the IP tables are updated as follows. iptables -t nat -A PREROUTING -s 192.168.1.118 -j REDSOCKS – Basil Abbas Feb 02 '22 at 11:13
  • Note that this only tunnels TCP traffic. If you followed the iptables section of the redsocks readme, UDP (including DNS) simply bypasses shadowsocks. – user2313067 Feb 05 '22 at 14:32

0 Answers0