initial logic for UDP proxy support

Author: shadowy-pycoder

cmd/gohpts/cli.go

@@ -62,6 +62,7 @@ const usageTproxy string = `
   TProxy:
   -t        Address of transparent proxy server (it starts along with HTTP proxy server)
   -T        Address of transparent proxy server (no HTTP)
+  -Tu       Address of transparent UDP proxy server
   -M        Transparent proxy mode: (redirect, tproxy)
   -auto     Automatically setup iptables for transparent proxy (requires elevated privileges)
   -arpspoof Enable ARP spoof proxy for selected targets (Example: "targets 10.0.0.1,10.0.0.5-10,192.168.1.*,192.168.10.0/24;fullduplex false;debug true")
@@ -106,6 +107,7 @@ func root(args []string) error {
 	if runtime.GOOS == tproxyOS {
 		flags.StringVar(&conf.TProxy, "t", "", "Address of transparent proxy server (it starts along with HTTP proxy server)")
 		flags.StringVar(&conf.TProxyOnly, "T", "", "Address of transparent proxy server (no HTTP)")
+		flags.StringVar(&conf.TProxyUDP, "Tu", "", "Address of transparent UDP proxy server")
 		flags.Func("M", fmt.Sprintf("Transparent proxy mode: %s", gohpts.SupportedTProxyModes), func(flagValue string) error {
 			if !slices.Contains(gohpts.SupportedTProxyModes, flagValue) {
 				fmt.Fprintf(os.Stderr, "%s: %s is not supported (type '%s -h' for help)\n", app, flagValue, app)
@@ -176,19 +178,27 @@ func root(args []string) error {
 			return fmt.Errorf("transparent proxy mode is not provided: -M flag")
 		}
 	}
+	if seen["Tu"] {
+		if !seen["M"] {
+			return fmt.Errorf("transparent proxy mode is not provided: -M flag")
+		}
+		if conf.TProxyMode != "tproxy" {
+			return fmt.Errorf("transparent UDP proxy require tproxy mode")
+		}
+	}
 	if seen["M"] {
-		if !seen["t"] && !seen["T"] {
-			return fmt.Errorf("transparent proxy mode requires -t or -T flag")
+		if !seen["t"] && !seen["T"] && !seen["Tu"] {
+			return fmt.Errorf("transparent proxy mode requires -t, -T or -Tu flag")
 		}
 	}
 	if seen["auto"] {
-		if !seen["t"] && !seen["T"] {
-			return fmt.Errorf("-auto requires -t or -T flag")
+		if !seen["t"] && !seen["T"] && !seen["Tu"] {
+			return fmt.Errorf("-auto requires -t, -T or -Tu flag")
 		}
 	}
 	if seen["mark"] {
-		if !seen["t"] && !seen["T"] {
-			return fmt.Errorf("-mark requires -t or -T flag")
+		if !seen["t"] && !seen["T"] && !seen["Tu"] {
+			return fmt.Errorf("-mark requires -t, -T or -Tu flag")
 		}
 	}
 	if seen["f"] {

gohpts.go

@@ -13,10 +13,12 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"maps"
 	"math/rand"
 	"net"
 	"net/http"
 	"os"
+	"os/exec"
 	"os/signal"
 	"runtime"
 	"slices"
@@ -65,6 +67,7 @@ type Config struct {
 	ServerConfPath string
 	TProxy         string
 	TProxyOnly     string
+	TProxyUDP      string
 	TProxyMode     string
 	Auto           bool
 	Mark           uint
@@ -135,6 +138,7 @@ type proxyapp struct {
 	httpServerAddr string
 	iface          *net.Interface
 	tproxyAddr     string
+	tproxyAddrUDP  string
 	tproxyMode     string
 	auto           bool
 	mark           uint
@@ -249,10 +253,11 @@ func New(conf *Config) *proxyapp {
 		p.logger.Fatal().Msg("Cannot specify TPRoxy and TProxyOnly at the same time")
 	} else if runtime.GOOS == "linux" && conf.TProxyMode != "" && !slices.Contains(SupportedTProxyModes, conf.TProxyMode) {
 		p.logger.Fatal().Msg("Incorrect TProxyMode provided")
-	} else if runtime.GOOS != "linux" && (conf.TProxy != "" || conf.TProxyOnly != "" || conf.TProxyMode != "") {
+	} else if runtime.GOOS != "linux" && (conf.TProxy != "" || conf.TProxyOnly != "" || conf.TProxyMode != "" || conf.TProxyUDP != "") {
 		conf.TProxy = ""
 		conf.TProxyOnly = ""
 		conf.TProxyMode = ""
+		conf.TProxyUDP = ""
 		p.logger.Warn().Msgf("[%s] functionality only available on linux systems", conf.TProxyMode)
 	}
 	p.tproxyMode = conf.TProxyMode
@@ -268,6 +273,15 @@ func New(conf *Config) *proxyapp {
 		if err != nil {
 			p.logger.Fatal().Err(err).Msg("")
 		}
+		if conf.TProxyUDP != "" {
+			if p.tproxyMode != "tproxy" {
+				p.logger.Warn().Msgf("[%s] transparent UDP server only supports tproxy mode", conf.TProxyMode)
+			}
+			p.tproxyAddrUDP, err = getFullAddress(conf.TProxyUDP, "", true)
+			if err != nil {
+				p.logger.Fatal().Err(err).Msg("")
+			}
+		}
 	} else {
 		p.tproxyAddr, err = getFullAddress(tAddr, "", false)
 		if err != nil {
@@ -484,6 +498,9 @@ func New(conf *Config) *proxyapp {
 			p.logger.Info().Msgf("REDIRECT: %s", p.tproxyAddr)
 		}
 	}
+	if p.tproxyAddrUDP != "" {
+		p.logger.Info().Msgf("TPROXY (UDP): %s", p.tproxyAddrUDP)
+	}
 	return &p
 }
 
@@ -496,11 +513,21 @@ func (p *proxyapp) Run() {
 		go p.arpspoofer.Start()
 	}
 	var tproxyServer *tproxyServer
-	var output map[string]string
+	opts := make(map[string]string, 5)
+	if p.auto {
+		p.applyCommonRedirectRules(opts)
+	}
 	if p.tproxyAddr != "" {
 		tproxyServer = newTproxyServer(p)
 		if p.auto {
-			output = tproxyServer.applyRedirectRules()
+			tproxyServer.applyRedirectRules(opts)
+		}
+	}
+	var tproxyServerUDP *tproxyServerUDP
+	if p.tproxyAddrUDP != "" {
+		tproxyServerUDP = newTproxyServerUDP(p)
+		if p.auto {
+			tproxyServerUDP.applyRedirectRules(opts)
 		}
 	}
 	if p.proxylist != nil {
@@ -525,15 +552,31 @@ func (p *proxyapp) Run() {
 			}
 			close(p.closeConn)
 			if tproxyServer != nil {
+				p.logger.Info().Msgf("[tcp %s] Server is shutting down...", p.tproxyMode)
 				if p.auto {
-					err := tproxyServer.clearRedirectRules(output)
+					err := tproxyServer.clearRedirectRules()
 					if err != nil {
 						p.logger.Error().Err(err).Msg("Failed clearing iptables rules")
 					}
 				}
-				p.logger.Info().Msgf("[%s] Server is shutting down...", p.tproxyMode)
 				tproxyServer.Shutdown()
 			}
+			if tproxyServerUDP != nil {
+				p.logger.Info().Msgf("[udp %s] Server is shutting down...", p.tproxyMode)
+				if p.auto {
+					err := tproxyServerUDP.clearRedirectRules()
+					if err != nil {
+						p.logger.Error().Err(err).Msg("Failed clearing iptables rules")
+					}
+				}
+				tproxyServerUDP.Shutdown()
+			}
+			if p.auto {
+				err := p.clearCommonRedirectRules(opts)
+				if err != nil {
+					p.logger.Error().Err(err).Msg("Failed clearing iptables rules")
+				}
+			}
 			p.logger.Info().Msg("Server is shutting down...")
 			ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
 
@@ -547,6 +590,9 @@ func (p *proxyapp) Run() {
 		if tproxyServer != nil {
 			go tproxyServer.ListenAndServe()
 		}
+		if tproxyServerUDP != nil {
+			go tproxyServerUDP.ListenAndServe()
+		}
 		if p.user != "" && p.pass != "" {
 			p.httpServer.Handler = p.proxyAuth(p.handler())
 		} else {
@@ -571,18 +617,43 @@ func (p *proxyapp) Run() {
 					p.logger.Error().Err(err).Msg("Failed stopping arp spoofer")
 				}
 			}
+			close(p.closeConn)
+			if tproxyServer != nil {
+				p.logger.Info().Msgf("[tcp %s] Server is shutting down...", p.tproxyMode)
+				if p.auto {
+					err := tproxyServer.clearRedirectRules()
+					if err != nil {
+						p.logger.Error().Err(err).Msg("Failed clearing iptables rules")
+					}
+				}
+				tproxyServer.Shutdown()
+			}
+			if tproxyServerUDP != nil {
+				p.logger.Info().Msgf("[udp %s] Server is shutting down...", p.tproxyMode)
+				if p.auto {
+					err := tproxyServerUDP.clearRedirectRules()
+					if err != nil {
+						p.logger.Error().Err(err).Msg("Failed clearing iptables rules")
+					}
+				}
+				tproxyServerUDP.Shutdown()
+			}
 			if p.auto {
-				err := tproxyServer.clearRedirectRules(output)
+				err := p.clearCommonRedirectRules(opts)
 				if err != nil {
 					p.logger.Error().Err(err).Msg("Failed clearing iptables rules")
 				}
 			}
-			close(p.closeConn)
-			p.logger.Info().Msgf("[%s] Server is shutting down...", p.tproxyMode)
-			tproxyServer.Shutdown()
 			close(done)
 		}()
-		tproxyServer.ListenAndServe()
+		if tproxyServer != nil && tproxyServerUDP != nil {
+			go tproxyServerUDP.ListenAndServe()
+			tproxyServer.ListenAndServe()
+		} else if tproxyServer != nil {
+			tproxyServer.ListenAndServe()
+		} else {
+			tproxyServerUDP.ListenAndServe()
+		}
 	}
 	<-done
 }
@@ -749,7 +820,9 @@ func (p *proxyapp) handleTunnel(w http.ResponseWriter, r *http.Request) {
 	var dstConn net.Conn
 	var err error
 	if network.IsLocalAddress(r.Host) {
-		dstConn, err = getBaseDialer(timeout, p.mark).Dial("tcp", r.Host)
+		ctx, cancel := context.WithTimeout(context.Background(), timeout)
+		defer cancel()
+		dstConn, err = getBaseDialer(timeout, p.mark).DialContext(ctx, "tcp", r.Host)
 		if err != nil {
 			p.logger.Error().Err(err).Msgf("Failed connecting to %s", r.Host)
 			http.Error(w, err.Error(), http.StatusServiceUnavailable)
@@ -1317,3 +1390,127 @@ func (p *proxyapp) proxyAuth(next http.HandlerFunc) http.HandlerFunc {
 		http.Error(w, "Proxy Authentication Required", http.StatusProxyAuthRequired)
 	})
 }
+
+func (p *proxyapp) applyCommonRedirectRules(opts map[string]string) {
+	var setex string
+	if p.debug {
+		setex = "set -ex"
+	}
+	if p.tproxyMode == "tproxy" {
+		cmdClear := exec.Command("bash", "-c", fmt.Sprintf(`
+        %s
+        iptables -t mangle -F DIVERT 2>/dev/null || true
+        iptables -t mangle -X DIVERT 2>/dev/null || true
+
+        ip rule del fwmark 1 lookup 100 2>/dev/null || true
+        ip route flush table 100 2>/dev/null || true
+        `, setex))
+		cmdClear.Stdout = os.Stdout
+		cmdClear.Stderr = os.Stderr
+		if err := cmdClear.Run(); err != nil {
+			p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+		}
+		cmdInit0 := exec.Command("bash", "-c", fmt.Sprintf(`
+        %s
+        ip rule add fwmark 1 lookup 100 2>/dev/null || true
+        ip route add local 0.0.0.0/0 dev lo table 100 2>/dev/null || true
+
+        iptables -t mangle -N DIVERT 2>/dev/null || true
+        iptables -t mangle -F DIVERT 2>/dev/null || true
+        iptables -t mangle -A DIVERT -j MARK --set-mark 1
+        iptables -t mangle -A DIVERT -j ACCEPT
+        `, setex))
+		cmdInit0.Stdout = os.Stdout
+		cmdInit0.Stderr = os.Stderr
+		if err := cmdInit0.Run(); err != nil {
+			p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+		}
+	}
+
+	_ = createSysctlOptCmd("net.ipv4.ip_forward", "1", setex, opts, p.debug).Run()
+	cmdClearForward := exec.Command("bash", "-c", fmt.Sprintf(`
+	%s
+	iptables -t filter -F GOHPTS 2>/dev/null || true
+	iptables -t filter -D FORWARD -j GOHPTS  2>/dev/null || true
+	iptables -t filter -X GOHPTS  2>/dev/null || true
+	`, setex))
+	cmdClearForward.Stdout = os.Stdout
+	cmdClearForward.Stderr = os.Stderr
+	if err := cmdClearForward.Run(); err != nil {
+		p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+	}
+	var iface *net.Interface
+	var err error
+	if p.iface != nil {
+		iface = p.iface
+	} else {
+		iface, err = network.GetDefaultInterface()
+		if err != nil {
+			p.logger.Fatal().Err(err).Msg("failed getting default network interface")
+		}
+	}
+	cmdForwardFilter := exec.Command("bash", "-c", fmt.Sprintf(`
+	%s
+	iptables -t filter -N GOHPTS 2>/dev/null
+	iptables -t filter -F GOHPTS
+	iptables -t filter -A FORWARD -j GOHPTS
+	iptables -t filter -A GOHPTS -i %s -j ACCEPT
+	iptables -t filter -A GOHPTS -o %s -j ACCEPT
+	`, setex, iface.Name, iface.Name))
+	cmdForwardFilter.Stdout = os.Stdout
+	cmdForwardFilter.Stderr = os.Stderr
+	if err := cmdForwardFilter.Run(); err != nil {
+		p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+	}
+}
+
+func (p *proxyapp) clearCommonRedirectRules(opts map[string]string) error {
+	var setex string
+	if p.debug {
+		setex = "set -ex"
+	}
+	cmdClear := exec.Command("bash", "-c", fmt.Sprintf(`
+	%s
+	iptables -t filter -F GOHPTS 2>/dev/null || true
+	iptables -t filter -D FORWARD -j GOHPTS  2>/dev/null || true
+	iptables -t filter -X GOHPTS  2>/dev/null || true
+	`, setex))
+	cmdClear.Stdout = os.Stdout
+	cmdClear.Stderr = os.Stderr
+	if err := cmdClear.Run(); err != nil {
+		p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+	}
+	cmds := make([]string, 0, len(opts))
+	for _, cmd := range slices.Sorted(maps.Keys(opts)) {
+		cmds = append(cmds, fmt.Sprintf("sysctl -w %s=%s", cmd, opts[cmd]))
+	}
+	cmdRestoreOpts := exec.Command("bash", "-c", fmt.Sprintf(`
+        %s
+		%s
+        `, setex, strings.Join(cmds, "\n")))
+	cmdRestoreOpts.Stdout = os.Stdout
+	cmdRestoreOpts.Stderr = os.Stderr
+	if !p.debug {
+		cmdRestoreOpts.Stdout = nil
+	}
+	_ = cmdRestoreOpts.Run()
+	if p.tproxyMode == "tproxy" {
+		cmd := exec.Command("bash", "-c", fmt.Sprintf(`
+        %s
+        iptables -t mangle -F DIVERT 2>/dev/null || true
+        iptables -t mangle -X DIVERT 2>/dev/null || true
+
+        ip rule del fwmark 1 lookup 100 2>/dev/null || true
+        ip route flush table 100 2>/dev/null || true
+        `, setex))
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		if !p.debug {
+			cmd.Stdout = nil
+		}
+		if err := cmd.Run(); err != nil {
+			return err
+		}
+	}
+	return nil
+}