TranSocks - Transparent SOCKSifying Proxy

• CVS
• SourceForge Project

Introduction

What: TranSocks is a transparent proxy that relays traffic through a SOCKS proxy.

Why: If your want to transparently route network traffic through a SOCKS server, then TranSocks is for you. You might need to do this for one or more of the following reasons:

• Your satellite service provider has performance-enhancing proxies that use SOCKS
• Your network provider only allows SOCKS access to the Internet
• You want to use an anonymization service such as EFF's Tor Onion Router

How: Transocks is a user-space daemon for Linux that does this, in conjunction with Linux IP Tables. You can use TranSocks to only handle traffic from the Linux machine running TranSocks, or you can run it on a Linux router that other machines on your network route through. Many TCP applications will work without modifications. TranSocks currently uses SOCKS version 4 and therefore does not support UDP.

FAQ

How is TranSocks different from tsocks or socksify?

TranSocks is a network-layer proxy that can run on a Linux router and without controlling how applications are run. In contrast, tools like tsocks and Dante's socksify are Unix applications that run applications in an environment that intercepts calls to network libraries.

Installation

We don't currently distribute binaries, so you will have to compile TranSocks yourself. The source code can be downloaded from anonymous CVS.

To compile TranSocks, you will first need a SOCKS client library such as:

• Dante SOCKS: http://www.inet.no/dante/
• NEC SOCKS: http://www.socks.nec.com/

Usage

/usr/local/sbin/transocks (or wherever you installed it)

-f

Normally TranSocks runs as a daemon and logs all messages to syslog. For debugging, you might want it to run in the foreground. -f tells TranSocks to run in fg and dump messages to stderr.

-p port

By default, TranSocks listens on 1211. Use this option to make it listen on some other port. Make sure to change the firewall script as well.

Transocks doesn't need to run as root unless you want it to listen on a privileged port.

You should be running Linux with IP Tables. You will need to setup firewall rules to enable the transparent proxy. The following script creates a SOCKSIFY chain for all TCP traffic destined for hosts outside the local network:

#!/bin/sh

LOCAL_NET=192.168.0.0/16

iptables -t nat -X SOCKSIFY
iptables -t nat -N SOCKSIFY
        #Exceptions
iptables -t nat -A SOCKSIFY -o lo -j RETURN
iptables -t nat -A SOCKSIFY --dst 127.0.0.1 -j RETURN
iptables -t nat -A SOCKSIFY --dst $LOCAL_NET -j RETURN
        #Avoid feedback loops
iptables -t nat -A SOCKSIFY -m owner --cmd-owner transocks -j RETURN
        #Log
iptables -t nat -A SOCKSIFY -j LOG -p tcp --syn --log-level info \
--log-prefix "SOCKSify "
	#Send to transocks
iptables -t nat -A SOCKSIFY -p tcp -j REDIRECT --to-port 1211


# Socksify traffic leaving this host:
iptables -t nat -A OUTPUT -p tcp --syn -j SOCKSIFY

# Socksify traffic routing through this host:
iptables -t nat -A PREROUTING -p tcp -s $LOCAL_NET --syn -j SOCKSIFY

Caveats

There's no support for UDP at present.

Transocks forks and creates a new process to service each connection. This is the simplest way to do it but it's not very scalable as it is limited by the maximum number of processes.

FTP will only work in passive mode. Other application protocols which similarly use reverse connections will also not work.

Transocks is best used for those apps that do not support SOCKS natively. Direct usage of SOCKS is likely to have better performance, and certainly has broader protocol support.

Future Work

(Volunteers Welcome)

• UDP / SOCKS 5 support
• Authentication and authorization

Contact

Please send bug reports/patches/comments to:

mefisk@gmail.com

The latest version of TranSocks is available at:

http://TranSocks.sourceforge.net/