2

I'm trying to implement something similar to the service provided by https://www.smartdnsproxy.com, where clients only need to change their DNS settings to connect to a HTTP/S or SOCKS5 proxy. I think I understand the individual components, but I'm having trouble putting it all together.

To achieve what I want, I need to provide the following services to clients:

  • DNS server, I'm using dnsmasq
  • SOCKS proxy, I'm using Dante

Then, once a client has set the DNS to my server and a request is sent, the goal is for the following to happen:

  1. User performs DNS request asking where is example.com
  2. My DNS server responds "It is <proxy-ip-address>"
  3. User then sends an HTTP/S request to the proxy's IP address, e.g. 
    GET /about.html HTTP/1.1
Host: example.com
  4. Proxy server handles the incoming request (likely in port 80 or 443) and returns result to the client

I was able to setup both services, and they appear to work well independently. I have configured dnsmasq to resolve all domains with the proxy's IP address, and I can setup a client just fine. I have configured dante to listen to port 1080, and I can verify that a client can use the proxy, tested with the handy socksify tool.

Then, to forward the incoming requests from the HTTP/S ports to the proxy itself, I'm using the following IPTABLES rules:

#!/bin/bash
# Create new chain
iptables -t nat -N SOCKSPROXY

# Ignore LANs and some other reserved addresses.
iptables -t nat -A SOCKSPROXY -d 0.0.0.0/8 -j RETURN
iptables -t nat -A SOCKSPROXY -d 10.0.0.0/8 -j RETURN
iptables -t nat -A SOCKSPROXY -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SOCKSPROXY -d 169.254.0.0/16 -j RETURN
iptables -t nat -A SOCKSPROXY -d 172.16.0.0/12 -j RETURN
iptables -t nat -A SOCKSPROXY -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SOCKSPROXY -d 224.0.0.0/4 -j RETURN
iptables -t nat -A SOCKSPROXY -d 240.0.0.0/4 -j RETURN

# Anything else should be redirected to port 1080
iptables -t nat -A SOCKSPROXY -p tcp -j REDIRECT --to-ports 1080

# Any tcp connection made by our user should be redirected
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner $USER -j SOCKSPROXY

# Accept all HTTP and HTTPS connections
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

But I'm seeing connection refused errors. Is iptables the right approach to forward the incoming connections to the proxy server? If so, what am I missing?

Oscar Wahltinez
  • 85
  • 6

1 Answers1

3

Its a bit more complex than its look like. SOCKS is a separate protocol (binary) and its different than HTTP. When browser sends HTTP request to Dante - Dante expect protocol to be socks - not HTTP - so it drops connection.

In order for browser to use SOCKS (if it supported) it should be implicitly configured to use socks proxy. If you want to do it via just DNS configuration you have to setup transparent HTTP(s) proxy. Additional configuration will be required to support ports other than 80 (in fact all tcp ports).

Also you have to support other protocols (not just HTTP) so your server should act as gateway and do traffic forwarding.

It's going to be tricky to configure HTTPS - cause your SSL certificate will be different from original server certificate and it should be trusted by browser.

Take a look at Squid proxy for example - it supports transparent HTTP(s) proxy.

k010mb0
  • 251
  • 1
  • 1
  • Thank you @k010mb0. It sounds like I'm not approaching this the right way then. I either use an HTTP/S instead of a SOCKS proxy, or I'll have to rethink my architecture. – Oscar Wahltinez Apr 30 '19 at 22:28