Score:0

Send all traffic from one IP address to another IP and port

cn flag

I have a UDM PRO 192.168.1.1 running ShadowSocks on 192.168.1.1:1080.

Here is what I am trying to do.

  1. I would to know the IPTABLES rules for a computer on my network 192.168.1.100 to route all traffic to the ShadowSocks Server. Eg. All traffic from my computer should only go to the ShadowSocks Server.

  2. I would like to send traffic on a particular port say 5036 to the ShadowSocks Server. This means that any device on this network that tries to use 5036 should get routed to the ShadowSocks server. Eg. Any device on my network using a particular app should be routed to the ShadowSocks Server.

I am trying to apply these rules to the UDM PRO IPTABELS via SSH.

in flag
Unless I'm mistaken, shadowsocks exposes a socks5 proxy. This means you need to encapsulate data in the socks5 protocol to use it and cannot simply redirect traffic to it using iptables.
cn flag
The ShadowSocks client installed in the UDM has the local server running that redirects all traffic from 192.168.1.1:1080 to an external AWS instance for unrestricted internet access. So what would be the best option to do this? How do the phone apps simply forward all traffic when you turn on the ShadowSocks client app?
in flag
The apps can implement the shadowsocks protocol themselves and forward traffic through it, or encapsulate the traffic in socks and send it to the client. The standard client only seems to support socks5, however shadowsocks-rust (https://github.com/shadowsocks/shadowsocks-rust) has support for tproxy, which can be used with iptables. It depends on the client you're running.
cn flag
Interesting. This makes sense now. In that case how would I set the IPTABLES assuming that I am using shadowsocks-rust?
in flag
Assuming the tproxy server is on port 1080, something like `iptables -t mangle -A PREROUTING -p TCP --dport 5036 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 1080` would redirect trafic to tcp port 5036 to shadowsocks. `iptables -t mangle -A PREROUTING -s 192.168.1.100 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 1080` would redirect all traffic from 192.168.1.100 to shadowsocks. Note that you'll probably need to follow the first part of https://www.kernel.org/doc/html/latest/networking/tproxy.html before redirecting traffic. I haven't played with tproxy in a while so this might need some debugging.
cn flag
I got this to work. The solution is to run a TCP to SOCKS5 service REDSOCKS https://github.com/darkk/redsocks REDSOCKS is setup in the UDM PRO and the IP tables are updated as follows. iptables -t nat -A PREROUTING -s 192.168.1.118 -j REDSOCKS
in flag
Note that this only tunnels TCP traffic. If you followed the iptables section of the redsocks readme, UDP (including DNS) simply bypasses shadowsocks.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.