nlzy / nsproxy Goto Github PK

nsproxy
====================

nsproxy (namespace proxy) is a Linux-specific command-line tool, makes
applications force to use a specific SOCKS5 or HTTP proxy.

Functionally similar to tsocks / proxychains-ng / graftcp, but using a
totally different mechanism. It create a TUN device and launch applications in
a fresh network_namespace, then connect the TUN device to a user-mode TCP/IP
stack and redirect connections through proxy server outside the namespace.
Benefiting from the namespace mechanism, it doesn't require any privilege, and
will not affect other processes.

It has the following features:

 - Support SOCKS5 / HTTP proxy protocols.
 - Support TCP / UDP protocols.
 - Built-in DNS redirection.
 - Works perfectly on static linked applications.
 - No privilege required.


USAGE
----------

nsproxy [-H] [-s <server>] [-p <port>] [-d <dns>] [-v|-q] <command>

Examples:
  # Use socks5 proxy
  nsproxy dig example.com A

  # Use http proxy
  nsproxy -H curl example.com


Options:
  -H
    Use http proxy, not socks5.
    Note: UDP is **NOT** supported in http proxy. UDP packets will drop and got
          an ICMP port unreachable message.

  -s <server>
    Proxy server address.
    Default value is "127.0.0.1"

  -p <port>
    Proxy server port.
    Default value is "1080" for socks, "8080" for http

  -d <dns>
    DNS redirect, allow following options:
      -d off
        Do nothings on DNS, treat as normal UDP packets.
      -d tcp://<nameserver_ipaddress>
        Redirect DNS requests to specified TCP nameserver.
      -d udp://<nameserver_ipaddress>
        Redirect DNS requests to specified UDP nameserver.
    Default value is "tcp://1.1.1.1"

  -v
    Verbose mode. Use "-vv" or "-vvv" for more verbose.

  -q
    Be quiet.


LIMITATIONS
----------

All {uid,gid} except the current user will be mapped to
"/proc/sys/kernel/overflow{uid,gid}". That means file owners except the current
user will be shown as 'nobody', and programs like sudo / su will not work.

nsproxy will create a new network_namespace for proxied application, so the
networking between inside and outside of the namespace is isolated. There's no
route to the inside of the namespace. It's unable to establish a connection to
the inside from the outside. In addition, abstract UNIX domain sockets are
isolated too.

Connections to loopback addresses will not be proxied, and those addresses are
not referenced to the host, they are referenced to the inside of the namespace.


TODO
----------

 - HTTP / SOCKS authentication
 - IPv6
 - fullcone NAT


CREDITS
----------

lwip - A Lightweight TCP/IP stack
https://savannah.nongnu.org/projects/lwip/

slirp4netns - User-mode networking for unprivileged network namespaces
https://github.com/rootless-containers/slirp4netns


LICENSE
----------

Copyright (C) 2023 NaLan ZeYu <[email protected]>

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.