nsproxy ==================== nsproxy (namespace proxy) is a Linux-specific command-line tool, makes applications force to use a specific SOCKS5 or HTTP proxy. Functionally similar to tsocks / proxychains-ng / graftcp, but using a totally different mechanism. It create a TUN device and launch applications in a fresh network_namespace, then connect the TUN device to a usermode TCP/IP stack and redirect connections through proxy server outside the namespace. Benefit from namespace mechanism, it doesn't require any privilege, and will not affect other processes. It has the following features: - Works on static linked applications. - Support UDP protocol. - Support DNS requests redirect. - No privilege required. USAGE ---------- nsproxy [-H] [-s <server>] [-p <port>] [-d <dns>] [-v|-q] <command> Examples: # Use socks5 proxy nsproxy dig example.com A # Use http proxy nsproxy -H curl example.com Options: -H Use http proxy, not socks5. Note: UDP is **NOT** supported in http proxy. UDP packets will drop and got an ICMP port unreachable message. -s <server> Proxy server address. Default vaule is "127.0.0.1" -p <port> Proxy server port. Default value is "1080" for socks, "8080" for http -d <dns> DNS redirect, allow following options: -d off Disable DNS redirect, treat DNS requests as normal UDP packets. -d direct Send DNS requests directly via local network (not proxied). -d tcp://<nameserver_ipaddress> Redirect DNS requests to specified TCP nameserver. -d udp://<nameserver_ipaddress> Redirect DNS requests to specified UDP nameserver. Default value is "tcp://1.1.1.1" -v Verbose mode. Use "-vv" or "-vvv" for more verbose. -q Be quite. KNOWN ISSUE ---------- All {uid,gid} except the current user will be mapped to "/proc/sys/kernel/overflow{uid,gid}". That's means file owners except the current user will be shown as 'nobody', and program like sudo / su will not work. nsproxy will create a new network_namespace for proxied application, so the networking between inside and outside of the namespace is isolated. There's no route to the inside of the namespace. It's unable to establish a connection to the inside from the outside. In addtion, abstract UNIX domain socket is isolated too. Connection to loopback address will not proxied, and those address is not referenced to the host, it's referenced to the inside of the namespace. W.I.P ---------- - IPv6 - fullcone NAT - fake DNS CREDITS ---------- lwip - A Lightweight TCP/IP stack https://savannah.nongnu.org/projects/lwip/ slirp4netns - User-mode networking for unprivileged network namespaces https://github.com/rootless-containers/slirp4netns LICENSE ---------- Copyright (C) 2023 NaLan ZeYu <nalanzeyu@gmail.com> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.