nsproxy
====================
nsproxy (namespace proxy) is a Linux-specific command-line tool, makes
applications force to use a specific SOCKS5 or HTTP proxy.
Functionally similar to tsocks / proxychains-ng / graftcp, but using a
totally different mechanism. It create a TUN device and launch applications in
a fresh network_namespace, then connect the TUN device to a usermode TCP/IP
stack and redirect connections through proxy server outside the namespace.
Benefit from namespace mechanism, it doesn't require any privilege, and will
not affect other processes.
It has the following features:
- Works on static linked applications.
- Support UDP protocol.
- Support DNS requests redirect.
- No privilege required.
USAGE
----------
nsproxy [-H] [-s <server>] [-p <port>] [-d <dns>] [-v|-q] <command>
Examples:
# Use socks5 proxy
nsproxy dig example.com A
# Use http proxy
nsproxy -H curl example.com
Options:
-H
Use http proxy, not socks5.
Note: UDP is **NOT** supported in http proxy. UDP packets will drop and got
an ICMP port unreachable message.
-s <server>
Proxy server address.
Default vaule is "127.0.0.1"
-p <port>
Proxy server port.
Default value is "1080" for socks, "8080" for http
-d <dns>
DNS redirect, allow following options:
-d off
Disable DNS redirect, treat DNS requests as normal UDP packets.
-d direct
Send DNS requests directly via local network (not proxied).
-d tcp://<nameserver_ipaddress>
Redirect DNS requests to specified TCP nameserver.
-d udp://<nameserver_ipaddress>
Redirect DNS requests to specified UDP nameserver.
Default value is "tcp://1.1.1.1"
-v
Verbose mode. Use "-vv" or "-vvv" for more verbose.
-q
Be quite.
KNOWN ISSUE
----------
All {uid,gid} except the current user will be mapped to
"/proc/sys/kernel/overflow{uid,gid}". That's means file owners except the
current user will be shown as 'nobody', and program like sudo / su will not
work.
nsproxy will create a new network_namespace for proxied application, so the
networking between inside and outside of the namespace is isolated. There's no
route to the inside of the namespace. It's unable to establish a connection to
the inside from the outside. In addtion, abstract UNIX domain socket is
isolated too.
Connection to loopback address will not proxied, and those address is not
referenced to the host, it's referenced to the inside of the namespace.
W.I.P
----------
- IPv6
- fullcone NAT
- fake DNS
CREDITS
----------
lwip - A Lightweight TCP/IP stack
https://savannah.nongnu.org/projects/lwip/
slirp4netns - User-mode networking for unprivileged network namespaces
https://github.com/rootless-containers/slirp4netns
LICENSE
----------
Copyright (C) 2023 NaLan ZeYu <nalanzeyu@gmail.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.