updated README

shadowy-pycoder · shadowy-pycoder · commit 26605b0b7f50 · 2025-06-11T19:28:55.000+03:00
diff --git a/README.md b/README.md
@@ -34,6 +34,9 @@ Specify http server in proxy configuration of Postman
 - **Proxy Chain functionality**  
   Supports `strict`, `dynamic`, `random`, `round_robin` chains of SOCKS5 proxy
 
+- **Transparent proxy**  
+  Supports `redirect` (SO_ORIGINAL_DST) and `tproxy` (IP_TRANSPARENT) modes
+
 - **DNS Leak Protection**  
   DNS resolution occurs on SOCKS5 server side.
 
@@ -65,7 +68,7 @@ You can download the binary for your platform from [Releases](https://github.com
 Example:
 
 ```shell
-HPTS_RELEASE=v1.5.0; wget -v https://github.com/shadowy-pycoder/go-http-proxy-to-socks/releases/download/$HPTS_RELEASE/gohpts-$HPTS_RELEASE-linux-amd64.tar.gz -O gohpts && tar xvzf gohpts && mv -f gohpts-$HPTS_RELEASE-linux-amd64 gohpts && ./gohpts -h
+HPTS_RELEASE=v1.6.0; wget -v https://github.com/shadowy-pycoder/go-http-proxy-to-socks/releases/download/$HPTS_RELEASE/gohpts-$HPTS_RELEASE-linux-amd64.tar.gz -O gohpts && tar xvzf gohpts && mv -f gohpts-$HPTS_RELEASE-linux-amd64 gohpts && ./gohpts -h
 ```
 
 Alternatively, you can install it using `go install` command (requires Go [1.24](https://go.dev/doc/install) or later):
@@ -102,23 +105,29 @@ GitHub: https://github.com/shadowy-pycoder/go-http-proxy-to-socks
 Usage: gohpts [OPTIONS]
 Options:
   -h    Show this help message and exit.
+  -M value
+    	Transparent proxy mode: [redirect tproxy]
+  -T string
+    	Address of transparent proxy server (no HTTP)
   -U string
-        User for HTTP proxy (basic auth). This flag invokes prompt for password (not echoed to terminal)
+    	User for HTTP proxy (basic auth). This flag invokes prompt for password (not echoed to terminal)
   -c string
-        Path to certificate PEM encoded file
-  -d    Show logs in DEBUG mode
+    	Path to certificate PEM encoded file
+  -d	Show logs in DEBUG mode
   -f string
-        Path to server configuration file in YAML format
-  -j    Show logs in JSON format
+    	Path to server configuration file in YAML format
+  -j	Show logs in JSON format
   -k string
-        Path to private key PEM encoded file
+    	Path to private key PEM encoded file
   -l string
-        Address of HTTP proxy server (default "127.0.0.1:8080")
+    	Address of HTTP proxy server (default "127.0.0.1:8080")
   -s string
-        Address of SOCKS5 proxy server (default "127.0.0.1:1080")
+    	Address of SOCKS5 proxy server (default "127.0.0.1:1080")
+  -t string
+    	Address of transparent proxy server (it starts along with HTTP proxy server)
   -u string
-        User for SOCKS5 proxy authentication. This flag invokes prompt for password (not echoed to terminal)
-  -v    print version
+    	User for SOCKS5 proxy authentication. This flag invokes prompt for password (not echoed to terminal)
+  -v	print version
 ```
 
 ## Example
@@ -217,6 +226,148 @@ server:
 
 To learn more about proxy chains visit [Proxychains Github](https://github.com/rofl0r/proxychains-ng)
 
+## Transparent proxy
+
+> Also known as an `intercepting proxy`, `inline proxy`, or `forced proxy`, a transparent proxy intercepts normal application layer communication without requiring any special client configuration. Clients need not be aware of the existence of the proxy. A transparent proxy is normally located between the client and the Internet, with the proxy performing some of the functions of a gateway or router
+>
+> -- _From [Wiki](https://en.wikipedia.org/wiki/Proxy_server)_
+
+This functionality available only on Linux systems and requires `iptables` setup
+
+`-T` flag specifies the address for the transparent server but `GoHPTS` will be running without HTTP server.
+
+`-t` flag specifies the address of transparent proxy (all other functionality stays the same).
+
+In other words, `-T` spins up a single server, but `-t` two servers, http and tcp.
+
+There are two modes `redirect` and `tproxy` that can be specified by `-M` flag
+
+## `redirect` (Transparent proxy via NAT)
+
+In this mode proxying happens with `iptables` `nat` table and `REDIRECT` target. Host of incoming packet changes to the address of running `redirect` transparent proxy, but it also contains original destination that can be retrieved with `getsockopt(SO_ORIGINAL_DST)`
+
+To run `GoHPTS` in this mode you use `-t` or `-T` flags with `-M redirect`
+
+### Example
+
+```shell
+# run the proxy
+gohpts -s 1080 -t 1090 -M redirect -d
+```
+
+```shell
+# run socks5 server on 127.0.0.1:1080
+ssh remote -D 1080 -Nf
+```
+
+Setup your operating system:
+
+```shell
+# commands below require elevated privileges (you can run it with `sudo -i`)
+
+#enable ip forwarding
+sysctl -w net.ipv4.ip_forward=1
+
+# create `GOHPTS` nat chain
+iptables -t nat -N GOHPTS
+
+# set no redirection rules for local, http proxy, ssh and redirect procy itself
+iptables -t nat -A GOHPTS -d 127.0.0.0/8 -j RETURN
+iptables -t nat -A GOHPTS -p tcp --dport 8080 -j RETURN
+iptables -t nat -A GOHPTS -p tcp --dport 1090 -j RETURN
+iptables -t nat -A GOHPTS -p tcp --dport 22 -j RETURN
+
+# redirect traffic to transparent proxy
+iptables -t nat -A GOHPTS -p tcp -j REDIRECT --to-ports 1090
+
+# setup prerouting by adding our proxy
+iptables -t nat -A PREROUTING -p tcp -j GOHPTS
+
+# intercept local traffic for testing
+iptables -t nat -A OUTPUT -p tcp -j GOHPTS
+```
+
+Test connection:
+
+```shell
+curl http://example.com #traffic should be redirected via 127.0.0.1:1090
+```
+
+```shell
+curl --proxy http://127.0.0.1:8080 http://example.com #traffic should be redirected via 127.0.0.1:8080
+```
+
+Undo everything:
+
+```shell
+sysctl -w net.ipv4.ip_forward=0
+iptables -t nat -D PREROUTING -p tcp -j GOHPTS
+iptables -t nat -D OUTPUT -p tcp -j GOHPT
+iptables -t nat -F GOHPTS
+iptables -t nat -X GOHPTS
+```
+
+## `tproxy` (Transparent proxy with IP_TRANSPARENT socket option)
+
+In this mode proxying happens with `iptables` `mangle` table and `TPROXY` target. Transparent proxy sees destination address as it is, it is not being rewrited by the kernel. For this to work the proxy binds with socket option `IP_TRANSPARENT`, `iptables` intercepts traffic using TPROXY target, routing rules are used marked packets to the local proxy without changing their original destination.
+
+This mode requires elevated privileges to run `GoHPTS`. You can do that by running the follwing command:
+
+```shell
+sudo setcap 'cap_net_admin+ep' ~/go/bin/gohpts
+```
+
+To run `GoHPTS` in this mode you use `-t` or `-T` flags with `-M tproxy`
+
+### Example
+
+```shell
+# run the proxy
+gohpts -s 1080 -T 0.0.0.0:1090 -M tproxy -d
+```
+
+```shell
+# run socks5 server on 127.0.0.1:1080
+ssh remote -D 1080 -Nf
+```
+
+Setup your operating system:
+
+```shell
+ip netns exec ns-client ip route add default via 10.0.0.1
+sysctl -w net.ipv4.ip_forward=1
+
+iptables -t mangle -A PREROUTING -i veth1 -p tcp -j TPROXY --on-port 1090 --tproxy-mark 0x1/0x1
+
+ip rule add fwmark 1 lookup 100
+ip route add local 0.0.0.0/0 dev lo table 100
+```
+
+Test connection:
+
+```shell
+ip netns exec ns-client curl http://1.1.1.1
+```
+
+Undo everything:
+
+```shell
+sysctl -w net.ipv4.ip_forward=0
+iptables -t mangle -F
+ip rule del fwmark 1 lookup 100
+ip route flush table 100
+ip netns del ns-client
+ip link del veth1
+```
+
+Learn more about transparent proxies by visiting the following links:
+
+- [Transparent proxy support in Linux Kernel](https://docs.kernel.org/networking/tproxy.html)
+- [Transparent proxy tutorial by Gost](https://latest.gost.run/en/tutorials/redirect/)
+- [Simple tproxy example](https://github.com/FarFetchd/simple_tproxy_example)
+- [Golang TProxy](https://github.com/KatelynHaworth/go-tproxy)
+- [Transparent Proxy Implementation using eBPF and Go](https://medium.com/all-things-ebpf/building-a-transparent-proxy-with-ebpf-50a012237e76)
+
 ## License
 
 MIT
