Is it possible to support SOCKS5 for certain hosts transparently?

Question

I have SSH access to a jump box on my work. This jump box gives access to the complete network infrastructure at work. This is great to work from home.

I am able to run a SOCKS5 proxy on the jump box (via ssh -D) and successfully managed to configure my browser to use that SOCKS5 proxy for work hosts (via https://getfoxyproxy.org). Foxyproxy seems to forward DNS requests to that SOCKS5 proxy, so all is working fine.

While this all works fine, I am wondering if it is possible to let my system use the SOCKS5 for work-related traffic in a more transparent manner. It's quite exhausting to figure out for each application I use if it supports SOCKS5 and if so, how.

More concrete, is there a way to configure my system in such way that it will automatically route traffic via the SOCKS5 for predefined hosts?

I know there are tools such as proxychains (see https://github.com/haad/proxychains), but this is not what I am after. This routes all traffic of an application to the proxy, while I want to route all traffic to a host to the proxy, if that makes sense.

Is this possible?

For your information, I asked a related question regarding DNS requests here: Forward DNS request to my work's jump server. Combining this question with the DNS question, I hopefully end up with a fully transparent way of interacting with work.

Answer 1

It is technically possible, though note that SOCKS only supports TCP tunnels (and in rare cases UDP). Anything else would have to be dropped.

If you use Linux, you can use iptables to redirect specific packets to a locally running transparent proxy, of which there are several SOCKS-capable ones – Google gives transocks, redsocks, pr0cks.

(The Tor-based "Tails" OS does the same trick, but the transparent proxying functionality is now built in to the Tor daemon itself – there is no separate SOCKS layer involved.)

For operating systems which do not have such "transparent proxy" support, it would still be possible but the software could get quite complex – it could create a virtual TUN interface that the packets could be routed to, but it would need to handle the entire client-side TCP protocol on its own, without any help from the OS. (SOCKS doesn't actually relay raw TCP packets, it only relays the data carried inside.)

Answer 2

Perhaps take a look at socksify. It might work particularly well if your office proxy uses Dante, but should be fine for other set-ups as well.

Answer 3

I am using transocks. My IP tables configuration looks like this:

#!/usr/bin/bash

# Transocks: https://github.com/cybozu-go/transocks

set -e
stty -echoctl

# Point to the transparent socket port (running in an exclusive user)
TRANSOCKS_PORT=12345
TRANSOCKS_USER=transocks

# Redirect all the network of your computer (except transocks user)
REDIRECT_LOCAL_NETWORK=1

# Redirect access point (wifi hotspot)
AP_SUBNET_ENABLED=1
AP_SUBNET_IFACE=ap0
AP_SUBNET_RANGE="192.168.12.0/24"

function action_up()
{
    echo "-----------------------------"
    echo "# Adding iptables chain rules"
    echo "-----------------------------"
    iptables -v -t nat -N TRANSOCKS
    iptables -v -t nat -A TRANSOCKS -d 0.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 10.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 100.64.0.0/10 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 127.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 169.254.0.0/16 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 172.16.0.0/12 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 192.168.0.0/16 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 198.18.0.0/15 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 224.0.0.0/4 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 240.0.0.0/4 -j RETURN
    iptables -v -t nat -A TRANSOCKS -p tcp -j REDIRECT --to-ports $TRANSOCKS_PORT

    if [ "$REDIRECT_LOCAL_NETWORK" = 1 ]; then
        echo "--------------------------------"
        echo "# Redirecting non-transocks user"
        echo "--------------------------------"
        iptables -v -t nat -A OUTPUT -p tcp -m owner ! --uid-owner $TRANSOCKS_USER -j TRANSOCKS
    fi

    if [ "$AP_SUBNET_ENABLED" = 1 ]; then
        echo "-----------------------"
        echo "# Redirecting AP subnet"
        echo "-----------------------"
        iptables -v -t nat -I PREROUTING -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -j TRANSOCKS
        iptables -v -I INPUT -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -p tcp -m tcp --dport $TRANSOCKS_PORT -j ACCEPT
    fi
}

function action_down()
{
    if [ "$REDIRECT_LOCAL_NETWORK" = 1 ]; then
        echo "------------------------------"
        echo "# Cleaning non-transocks rules"
        echo "------------------------------"
        iptables -v -t nat -D OUTPUT -p tcp -m owner ! --uid-owner $TRANSOCKS_USER -j TRANSOCKS
    fi

    if [ "$AP_SUBNET_ENABLED" = 1 ]; then
        echo "--------------------------"
        echo "# Cleaning AP subnet rules"
        echo "--------------------------"
        iptables -v -t nat -D PREROUTING -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -j TRANSOCKS
        iptables -v -D INPUT -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -p tcp -m tcp --dport $TRANSOCKS_PORT -j ACCEPT
    fi

    echo "-----------------------------"
    echo "# Cleaning and removing chain"
    echo "-----------------------------"
    iptables -v -F TRANSOCKS -t nat
    iptables -v -X TRANSOCKS -t nat
}

trap 'action_down' SIGINT

action_up

echo
echo "Hit Ctrl+C to remove the ip table rules"
echo


while :
do
    sleep 1
done

Answer 4

You can also look at TS-Warp. Work on Linux, *BSD, mac.