slyphon-transocks_em 0.0.1

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+gemspec
+

data/bin/transocks-server

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('../../lib', __FILE__)).uniq!
+
+require 'transocks_em'
+
+TransocksEM::Command.main
+

data/lib/transocks_em.rb

@@ -0,0 +1,114 @@
+require 'socket'
+require 'eventmachine'
+require 'logging'
+require 'optparse'
+
+include Logging.globally
+
+module TransocksEM
+  OPSYS = `uname -s`.chomp
+
+  def self.config
+    unless defined?(@@config)
+      @@config = {}
+    end
+    @@config
+  end
+
+  def self.debug?
+    false|config[:debug] 
+  end
+
+  class EM::Connection
+    def orig_sockaddr
+      addr = get_sock_opt(Socket::SOL_IP, 80) # Socket::SO_ORIGINAL_DST
+      _, port, host = addr.unpack("nnN")
+
+      [host, port]
+    end
+
+    def bsd_orig_sockaddr
+#       get_sock_opt(4, 3)
+    end
+  end
+
+  class TransocksClient < EM::P::Socks4
+    attr_accessor :closed
+
+    def initialize(proxied, host, port)
+      @proxied = proxied
+      super(host, port)
+    end
+
+    def receive_data(data)
+      @proxied.send_data(data)
+      proxy_incoming_to @proxied  unless @proxied.closed
+    end
+
+    def proxy_target_unbound
+      close_connection
+    end
+
+    def unbind
+      self.closed = true
+      @proxied.close_connection_after_writing
+    end
+  end
+
+  class TransocksTCPServer < EM::Connection
+    attr_accessor :closed
+
+    def initialize(ipfw_natd_style = false)
+      logger.debug { "started server, ipfw_natd_style: #{ipfw_natd_style}" }
+      @ipfw_natd_style = ipfw_natd_style
+    end
+
+    def connection_completed
+      logger.debug { "connection_completed" }
+    end
+
+    def post_init
+      return  if @ipfw_natd_style
+
+      orig_host, orig_port = orig_sockaddr
+      orig_host = [orig_host].pack("N").unpack("CCCC")*'.'
+
+      proxy_to orig_host, orig_port
+    end
+
+    def receive_data(data)
+      @buf ||= ''
+      @buf << data
+      if @buf.gsub!(/\[DEST (\d+\.\d+\.\d+\.\d+) (\d+)\] *\n/m, '')
+        orig_host, orig_port = $1, $2.to_i
+        proxy_to orig_host, orig_port
+        @proxied.send_data @buf
+      end
+    end
+
+    def proxy_target_unbound
+      close_connection
+    end
+
+    def unbind
+      self.closed = true
+      @proxied.close_connection_after_writing  if @proxied
+    end
+
+    private
+      def config
+        TransocksEM.config
+      end
+
+      def proxy_to(orig_host, orig_port)
+        logger.debug { "connecting to #{orig_host}:#{orig_port}" }
+
+        @proxied = EM.connect(config[:connect_host], config[:connect_port], TransocksClient, self, orig_host, orig_port)
+        proxy_incoming_to @proxied  unless @proxied.closed
+      end
+  end
+end
+
+require 'transocks_em/command'
+require 'transocks_em/ipfw_tweaker'
+

data/lib/transocks_em/command.rb

@@ -0,0 +1,100 @@
+module TransocksEM
+  class Command
+    USAGE = <<-EOS
+Usage: transsocks_em.rb [opts] <proxy_to_host> <proxy_to_port> <listen_port>
+
+--natd puts daemon in ipfw/natd bsd mode rather than linux iptables SO_ORIGINAL_DST mode,
+       aka: get the original dest addr/port from the TCP stream rather than
+       from getsockopt.  Current issue with natd mode is that the original addr
+       wont be sent until the connection sends some initial data (this makes it
+       incompatible with certain protocols, SSH for example).  This is the
+       default for Darwin (checked using 'uname -s').
+
+If --debug is enabled, natd debugging output goes to /tmp/natd.log
+
+
+    EOS
+
+    def self.main
+      new.main
+    end
+
+    def initialize
+      @ipfw_tweaker = IPFWTweaker.new
+      @set_ipfw_state = false
+      @divert_ports = []
+    end
+
+    def config
+      TransocksEM.config
+    end
+
+    def optparser
+      @optparser ||= OptionParser.new do |o|
+        o.banner = USAGE
+        o.on('--natd', 'see description above') { config[:natd] = true }
+        o.on('-P', '--ports a,b,c', Array, 'the ports to divert to socks (mandatory)') do |a|
+          @divert_ports = a.map { |n| Integer(n) }
+        end
+        o.on('-D', '--debug', 'set debug logging') { config[:debug] = true }
+        o.on('-h', '--help', "you're reading it") { help! }
+      end
+    end
+
+    def help!
+      $stderr.puts optparser
+      exit 1
+    end
+
+    def main
+      optparser.parse!(ARGV)
+
+      help! if @divert_ports.empty? or (ARGV.size < 3)
+
+      host, port, listen = ARGV[0,3]
+
+      config.merge!({
+        :connect_host => host,
+        :connect_port => port.to_i, 
+        :listen_port  => listen.to_i,
+      })
+
+      Logging.backtrace(true)
+
+      Logging.logger.root.tap do |root|
+        root.level = TransocksEM.debug? ? :debug : :info
+        root.add_appenders(Logging.appenders.stderr)
+      end
+
+      logger.debug { "using config: #{config.inspect}" }
+
+      if (ARGV[3] == 'natd') or (TransocksEM::OPSYS =~ /^(?:Darwin|FreeBSD)$/)
+        config[:natd] = true
+        logger.info { "set natd mode" }
+        @set_ipfw_state = true
+        @ipfw_tweaker.divert_to_socks(*@divert_ports)
+      end
+
+      %w[INT TERM].each do |sig|
+        Kernel.trap(sig) do
+          logger.info { "trapped signal #{sig}, shutting down" }
+          EM.next_tick { EM.stop_event_loop }
+        end
+      end
+
+      EM.run do
+        logger.info { "started event loop" }
+
+        EM.error_handler do |e|
+          logger.error { e }
+        end
+
+        EM.start_server '127.0.0.1', config[:listen_port], TransocksTCPServer, config[:natd]
+      end
+
+    ensure
+      @ipfw_tweaker.clear_state! if @set_ipfw_state
+    end
+  end
+end
+

data/lib/transocks_em/ipfw_tweaker.rb

@@ -0,0 +1,156 @@
+require 'tempfile'
+
+module TransocksEM
+  class IPFWTweaker
+    DEFAULT_START_RULE_NUM = 1_000
+    OFFSET = 10
+    DIVERT_PORT = 4000
+    IPFW_SET_NUM = 7
+
+    IPFW_BIN = '/sbin/ipfw' # Darwin & FreeBSD
+
+    attr_reader :start_rule_num, :offset, :ipfw_set_num, :added_rule_nums, :divert_port
+
+    def initialize(opts={})
+      @start_rule_num   = opts.fetch(:start_rule_num, DEFAULT_START_RULE_NUM)
+      @cur_rule_num     = @start_rule_num
+
+      @offset           = opts.fetch(:offset, OFFSET)
+      @divert_port      = opts.fetch(:divert_port, DIVERT_PORT)
+      @ipfw_set_num     = opts.fetch(:ipfw_set_num, IPFW_SET_NUM)
+      @added_rule_nums  = []
+      @natd_pid         = nil
+      @natd_config_tmpfile  = nil
+    end
+
+    def transocks_port
+      TransocksEM.config[:listen_port]
+    end
+
+    # Diverts the given ports to SOCKS via ipfw and natd. after this has been
+    # called once, you must reset the rules before calling it again, or an
+    # error will occur
+    def divert_to_socks(*ports)
+      clear_state!
+      add_ipfw_diversion_rules!(ports)
+      setup_natd!(ports)
+    end
+
+    def clear_state!
+      clear_ipfw_rules!
+      kill_natd!
+    end
+
+    def add_ipfw_diversion_rules!(ports)
+      ipfw *%W[set disable #{ipfw_set_num}]
+      ipfw *%W[add #{cur_rule_num} set #{ipfw_set_num} divert #{divert_port} tcp from 127.0.0.1 #{transocks_port} to me in]
+      ipfw *%W[add #{cur_rule_num} set #{ipfw_set_num} divert #{divert_port} tcp from me to any #{ports.join(',')} out]
+      ipfw *%W[set enable #{ipfw_set_num}]
+
+      logger.debug do
+        rules = `sudo ipfw list`
+        "ipfw rules: #{rules}"
+      end
+    end
+
+    def setup_natd!(ports)
+      kill_natd!
+
+      @natd_config_tmpfile = tmp = Tempfile.new('natdrulez')
+
+      tmp.puts(<<-EOS)
+port #{divert_port} 
+log yes
+interface lo0 
+proxy_only yes
+      EOS
+
+      ports.each do |port|
+        tmp.puts %Q[proxy_rule type encode_tcp_stream port #{port} server 127.0.0.1:#{transocks_port}]
+      end
+
+      tmp.fsync
+
+      tmp.rewind
+      config = tmp.read
+
+      logger.debug { "natd config: \n#{config}" }
+
+      cmd = %W[sudo #{natd_bin} -f #{tmp.path}]
+
+      opts = {
+        :chdir => '/',
+        :in  => '/dev/null',
+        :out => [:child, :err],
+      }
+
+      opts[:err] = TransocksEM.debug? ? '/tmp/natd.log' : '/dev/null'
+
+      cmd << opts
+
+      logger.debug { "spawning natd: #{cmd.inspect}" }
+
+      @natd_pid = Process.spawn(*cmd)
+
+      logger.debug { "launched natd pid: #{@natd_pid}" } 
+    end
+
+    def clear_ipfw_rules!
+      sh(*%W[sudo ipfw delete set #{ipfw_set_num}])
+    rescue RuntimeError
+    end
+
+    def kill_natd!
+      if @natd_config_tmpfile
+        @natd_config_tmpfile.close
+        @natd_config_tmpfile = nil
+      end
+
+      if @natd_pid
+        sh(*%W[sudo kill -9 #{@natd_pid}])
+        Process.waitpid2(@natd_pid)
+        @natd_pid = nil
+      end
+    end
+
+    protected
+      def ipfw(*args)
+        cmd = ['sudo', IPFW_BIN]
+        
+        cmd << '-q' unless TransocksEM.debug?
+
+        cmd += args
+
+        sh(*cmd)
+      end
+
+      def sh(*cmd)
+        logger.debug { "running command: #{cmd.join(' ')}" }
+
+        system(*cmd).tap do |bool|
+          raise "command: #{cmd.join(' ')} failed with status: #{$?.inspect}" unless bool
+        end
+      end
+      
+      def natd_bin
+        @natd_bin ||= (
+          case OPSYS
+          when 'Darwin'
+            '/usr/sbin/natd'
+          when 'FreeBSD'
+            '/sbin/natd'
+          else
+            raise "don't know about natd on opsys: #{OPSYS}"
+          end
+        )
+      end
+
+      def cur_rule_num
+        orig = @cur_rule_num
+        @added_rule_nums << orig
+        @cur_rule_num += @offset
+        orig
+      end
+  end
+end
+

data/lib/transocks_em/version.rb

@@ -0,0 +1,4 @@
+module TransocksEM
+  VERSION = '0.0.1'
+end
+

data/setup_linux_routing

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# transparently proxy all traffic of processes launched with specified group to transocks daemon
+
+PROXY_GROUP=prx
+TRANSOCKS_PORT=1212
+
+if [ "$1" = "--clear" ]; then
+  sudo iptables -t nat --flush
+  echo cleared all nat rules
+  exit 0
+fi
+
+sudo iptables -t nat -X SOCKSIFY
+sudo iptables -t nat -N SOCKSIFY
+
+# Only proxy traffic for programs run with group $PROXY_GROUP
+sudo iptables -t nat -A SOCKSIFY -m owner ! --gid-owner $PROXY_GROUP -j RETURN
+
+# Exceptions for local traffic
+sudo iptables -t nat -A SOCKSIFY -o lo -j RETURN
+sudo iptables -t nat -A SOCKSIFY --dst 127.0.0.1 -j RETURN
+# Add extra local nets to ignore here as necessary
+sudo iptables -t nat -A SOCKSIFY --dst 192.168.0.0/16 -j RETURN
+
+# Send to transocks
+sudo iptables -t nat -A SOCKSIFY -p tcp -j REDIRECT --to-port $TRANSOCKS_PORT
+
+# Socksify traffic leaving this host:
+sudo iptables -t nat -A OUTPUT -p tcp --syn -j SOCKSIFY

data/setup_osx_routing

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+TRANSOCKS_PORT=1212
+
+# transparently proxy ports 80, 443, and 1935 (hulu) to transocks daemon
+
+if [ "$1" = "--clear" ]; then
+  sudo ipfw -q flush
+  echo cleared all ipfw rules
+  exit 0
+fi
+
+sudo ipfw add divert 4000 tcp from 127.0.0.1 $TRANSOCKS_PORT to me in
+sudo ipfw add divert 4000 tcp from me to any 80,443,1935 out
+
+sudo killall -9 natd
+sudo natd -port 4000 -interface lo0 -proxy_only \
+  -proxy_rule type encode_tcp_stream port 80 server 127.0.0.1:$TRANSOCKS_PORT \
+  -proxy_rule type encode_tcp_stream port 443 server 127.0.0.1:$TRANSOCKS_PORT \
+  -proxy_rule type encode_tcp_stream port 1935 server 127.0.0.1:$TRANSOCKS_PORT \

data/transocks_em.gemspec

@@ -0,0 +1,23 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require 'transocks_em/version'
+
+Gem::Specification.new do |s|
+  s.name        = "slyphon-transocks_em"
+  s.version     = TransocksEM::VERSION
+  s.authors     = ["coderrr", "Jonathan D. Simms"]
+  s.email       = ["coderrr.contact@gmail.com", "simms@hp.com"]
+  s.summary     = %q{transparently tunnel connections over SOCKS5 using eventmachine and ipfw/iptables}
+  s.description = s.summary
+
+  s.required_ruby_version = '>= 1.9.2'
+
+  s.add_runtime_dependency('logging',         '~> 1.5.1')
+  s.add_runtime_dependency('eventmachine',    '~> 1.0.0.beta.3')
+
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+end

data/uot_client.rb

@@ -0,0 +1,58 @@
+require 'rubygems'
+require 'eventmachine'
+
+class UOTClient < EM::Connection
+  def receive_data(data)
+    port, host = Socket.unpack_sockaddr_in(get_peername)
+
+    dst_port = data.slice!(-2..-1).unpack("S").first
+    dst_host = data.slice!(-4..-1).unpack("C4")*'.'
+
+    $tunnel.mapping[[dst_host, dst_port]] = [host, port]
+    $tunnel.send_object [dst_host, dst_port, data]
+
+    print '>'; $stdout.flush
+  end
+end
+
+class UOTTunnel < EM::Connection
+  attr_accessor :mapping
+
+  include EM::P::ObjectProtocol
+
+  def initialize
+    super
+    @mapping = {}
+  end
+
+  def receive_object(data)
+    host, port, data = data
+
+    dst_host, dst_port = @mapping[[host, port]]
+    if ! dst_host
+      puts "unexpected packet received for #{host}:#{port}"
+      return
+    end
+
+    $udp_connection.send_datagram data, dst_host, dst_port
+    print '<'; $stdout.flush
+  end
+
+  def unbind
+    p :control_conn_dropped
+    reconnect
+  end
+
+  def reconnect
+    @mapping.clear
+    super $host, $port
+  end
+end
+
+$host, $port, listen_port = ARGV[0], ARGV[1].to_i, ARGV[2]
+
+EM.run do
+  EM.error_handler { puts $!, $@ }
+  $tunnel = EM.connect $host, $port, UOTTunnel
+  $udp_connection = EM.open_datagram_socket '127.1', listen_port, UOTClient
+end

data/uot_server.rb

@@ -0,0 +1,31 @@
+require 'rubygems'
+require 'eventmachine'
+require 'socket'
+
+class UOTServer < EM::Connection
+  include EM::P::ObjectProtocol
+
+  def post_init
+    $server = self
+  end
+
+  def receive_object(data)
+    host, port, data = data
+    $outgoing_connection.send_datagram data, host, port
+  end
+end
+
+class UDPConnection < EM::Connection
+  def receive_data(data)
+    port, host = Socket.unpack_sockaddr_in(get_peername)
+    $server.send_object [host, port, data]  if $server
+  end
+end
+
+listen_port = ARGV.first
+
+EM.run do
+  EM.error_handler { puts $!, $@ }
+  EM.start_server '0', listen_port, UOTServer
+  $outgoing_connection = EM.open_datagram_socket '0', 0, UDPConnection
+end

metadata

@@ -0,0 +1,113 @@
+--- !ruby/object:Gem::Specification 
+name: slyphon-transocks_em
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: 
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- coderrr
+- Jonathan D. Simms
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-08-17 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: logging
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 1
+        segments: 
+        - 1
+        - 5
+        - 1
+        version: 1.5.1
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: eventmachine
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 62196357
+        segments: 
+        - 1
+        - 0
+        - 0
+        - beta
+        - 3
+        version: 1.0.0.beta.3
+  type: :runtime
+  version_requirements: *id002
+description: transparently tunnel connections over SOCKS5 using eventmachine and ipfw/iptables
+email: 
+- coderrr.contact@gmail.com
+- simms@hp.com
+executables: 
+- transocks-server
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- Gemfile
+- bin/transocks-server
+- lib/transocks_em.rb
+- lib/transocks_em/command.rb
+- lib/transocks_em/ipfw_tweaker.rb
+- lib/transocks_em/version.rb
+- setup_linux_routing
+- setup_osx_routing
+- transocks_em.gemspec
+- uot_client.rb
+- uot_server.rb
+homepage: 
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 55
+      segments: 
+      - 1
+      - 9
+      - 2
+      version: 1.9.2
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.8.6
+signing_key: 
+specification_version: 3
+summary: transparently tunnel connections over SOCKS5 using eventmachine and ipfw/iptables
+test_files: []
+