简体中文 | English
This is a simple transparent proxy tool developed in Go, leveraging eBPF. It enables transparent proxying for network traffic either globally or targeted by specific IP addresses, process IDs, or process name.
The program offers direct transparent proxy network forwarding with SOCKS5 support, serving as a modern alternative to tools like redsocks and proxychains. Furthermore, it can be integrated with other proxy software or Layer 7 proxies to implement advanced functionalities such as traffic splitting, firewalls, or creating a Mock Server.
Installation
Download binary from release or build from source:
- Clone the repository:
git clone https://github.com/Dream95/gotproxy.git cd gotproxy git submodule update --init --recursive ./init_env.sh - Build from source:
make build-bpf && make
Usage
gotproxy requires root privileges to function.
sudo ./gotproxy [flags]| Flag | Description |
|---|---|
| --cmd | The command name to be proxied. If not provided, all traffic will be proxied globally. |
| --pids | The pid to be proxied, seperate by ','. |
| --container-name | The container name to be proxied (Docker running container name). |
| --ip | The Target IP address to be proxied. Supports IPv4 and IPv4 CIDR notation. |
| --p-pid | The process ID of the proxy. If not provided, the program will automatically start a forwarding proxy. |
| --p-port | The proxy port. |
| --socks5 | The SOCKS5 proxy Server network address. If configured, SOCKS5 proxying will be used. |
| --socks5-user | SOCKS5 username (RFC1929). Must be set together with --socks5-pass. |
| --socks5-pass | SOCKS5 password (RFC1929). Must be set together with --socks5-user. |
| --proto | Proxy protocol selection: both (default) / tcp / udp. When set to tcp, only TCP traffic will be redirected; when set to udp, only UDP traffic will be redirected. |
| --no-dns53 | Disable automatic UDP DNS rewrite from 127.0.0.53:53 to 1.1.1.1:53 (enabled by default). |
Mirroring is independent of proxy forwarding: it best-effort duplicates the original traffic to a target address.
| Flag | Description |
|---|---|
| --mirror-enable | Enable best-effort traffic mirroring. |
| --mirror-target | Mirror destination address, for example 10.0.0.2:9000. |
| --mirror-proto | Mirror protocol: auto (default, follows --proto) / both / tcp / udp. |
| --mirror-timeout-ms | Mirror write timeout in milliseconds (default: 100). |
| --mirror-queue | Mirror async queue size (default: 1024). |
| --mirror-drop-on-full | Drop mirrored packets when queue is full (default: true). |
Features Under Development: IPv6 support
Examples
- Proxy a specific command:
sudo ./gotproxy --cmd "curl"- Proxy network traffic and forward via SOCKS5:
sudo ./gotproxy --socks5 192.168.1.2:1080Where '192.168.1.2:1080' is the IP and port of the SOCKS5 proxy server.
SOCKS5 with username/password:
sudo ./gotproxy --socks5 192.168.1.2:1080 --socks5-user alice --socks5-pass 'secret'- TCP-only proxy:
sudo ./gotproxy --proto tcp- UDP-only proxy:
sudo ./gotproxy --proto udp- Proxy with traffic mirroring:
sudo ./gotproxy --proto both --mirror-enable --mirror-target 10.0.0.2:9000- Proxy by container name:
sudo ./gotproxy --container-name curl-test- Use container and pid together:
sudo ./gotproxy --container-name curl-test --pids 1234When multiple process/container filters are specified (such as --container-name, --cmd, --pids), they use OR semantics: matching any one filter will be proxied.
-
Theoretically, a connection should be determined by a 5-tuple, but for most cases, connection mapping is currently based only on protocol type and source port.
-
In scenarios where proxying is based on process name, if a process starts a child process and uses execve to execute a new command, proxying will not work.
-
The current implementation of UDP proxy is not perfect, and there may be issues in certain scenarios.
-
By default, UDP DNS destination
127.0.0.53:53is automatically rewritten to1.1.1.1:53; set--no-dns53to turn this off.
Some code is referenced from