{"id":15626354,"url":"https://github.com/zfl9/ipt2socks","last_synced_at":"2025-10-24T22:05:24.369Z","repository":{"id":50569591,"uuid":"212471152","full_name":"zfl9/ipt2socks","owner":"zfl9","description":"将 iptables/nftables 传入的透明代理流量转为 socks5 流量的实用工具","archived":false,"fork":false,"pushed_at":"2025-03-06T07:49:08.000Z","size":403,"stargazers_count":470,"open_issues_count":2,"forks_count":105,"subscribers_count":20,"default_branch":"master","last_synced_at":"2025-04-19T02:15:59.055Z","etag":null,"topics":["iptables","linux","nftables","proxy","redirect","redsocks","relay","socks4","socks5","ss-tproxy","tproxy","transparent-proxy"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zfl9.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-03T00:53:32.000Z","updated_at":"2025-04-15T14:55:33.000Z","dependencies_parsed_at":"2025-03-20T20:19:56.356Z","dependency_job_id":"01d171af-595b-42f0-9a5e-da867710389d","html_url":"https://github.com/zfl9/ipt2socks","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zfl9%2Fipt2socks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zfl9%2Fipt2socks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zfl9%2Fipt2socks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zfl9%2Fipt2socks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zfl9","download_url":"https://codeload.github.com/zfl9/ipt2socks/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254414499,"owners_count":22067272,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["iptables","linux","nftables","proxy","redirect","redsocks","relay","socks4","socks5","ss-tproxy","tproxy","transparent-proxy"],"created_at":"2024-10-03T10:12:03.966Z","updated_at":"2025-10-24T22:05:24.363Z","avatar_url":"https://github.com/zfl9.png","language":"C","readme":"# ipt2socks(libev)\n\n类似 [redsocks](https://github.com/darkk/redsocks)、[redsocks2](https://github.com/semigodking/redsocks) 的实用工具,将 iptables/nftables (REDIRECT/TPROXY) 传入的流量转为 socks5(tcp/udp) 流量,除此之外不提供任何不必要的功能。\n\n用例 1:配合透明代理使用(如 [ss-tproxy](https://github.com/zfl9/ss-tproxy)),为那些只支持 socks5 传入协议的“代理进程”提供 **iptables/nftables 透明代理** 传入协议的支持,比如 ss/ssr 的 ss-local/ssr-local、v2ray 的 socks5 传入协议、trojan 的 socks5 客户端等等。\n\n用例 2:将透明代理主机上的“代理进程”分离出来,因为“代理”通常涉及加解密等耗性能的操作,如果透明代理主机性能比较弱,最好将“代理进程”放到另外一个性能更强的局域网主机去运行(提供 socks5 传入),然后在透明代理主机上运行 ipt2socks 来对接这个“代理”。ipt2socks 在设计和编码上特意考虑了性能,尽可能实现零拷贝,降低开销。\n\n## 简要说明\n\n- 使用 splice() 系统调用,理想情况下可实现零拷贝。\n- IPv4 和 IPv6 双栈支持,支持 **纯 TPROXY** 透明代理模式。\n- TCP 透明代理提供 REDIRECT、TPROXY 两种方式,UDP 透明代理为 TPROXY 方式。\n- UDP 透明代理支持 Full Cone NAT,前提是后端的 socks5 服务器支持 Full Cone NAT。\n- 多线程 + SO_REUSEPORT 端口重用,每个线程运行各自独立的事件循环,性能提升显著。\n\n## 如何编译\n\n\u003e 为了方便使用,[releases](https://github.com/zfl9/ipt2socks/releases) 页面发布了 linux 下常见架构的 musl 静态链接二进制。\n\n```bash\ngit clone https://github.com/zfl9/ipt2socks\ncd ipt2socks\nmake \u0026\u0026 sudo make install\n```\n\nipt2socks 默认安装到 `/usr/local/bin/ipt2socks`,可安装到其它目录,如 `make install DESTDIR=/opt/local/bin`。\n\n交叉编译时只需指定 CC 变量,如 `make CC=aarch64-linux-gnu-gcc`(若报错或异常,请执行 `make clean`,再试)。\n\n## 如何运行\n\n```bash\n# -s 指定 socks5 服务器 ip\n# -p 指定 socks5 服务器端口\nipt2socks -s 127.0.0.1 -p 1080\n\n# 如果想后台运行,可以这样启动:\n(ipt2socks -s 127.0.0.1 -p 1080 \u003c/dev/null \u0026\u003e\u003e/var/log/ipt2socks.log \u0026)\n```\n\nipt2socks 启动后,配置相应 iptables/nftables 规则即可,关于 iptables 规则,可以看看:\n\n- https://github.com/zfl9/ss-tproxy\n- https://gist.github.com/zfl9/d52482118f38ce2c16195583dffc44d2\n\n## 全部参数\n\n```bash\n$ ipt2socks --help\nusage: ipt2socks \u003coptions...\u003e. the existing options are as follows:\n -s, --server-addr \u003caddr\u003e socks5 server ip, default: 127.0.0.1\n -p, --server-port \u003cport\u003e socks5 server port, default: 1080\n -a, --auth-username \u003cuser\u003e username for socks5 authentication\n -k, --auth-password \u003cpasswd\u003e password for socks5 authentication\n -b, --listen-addr4 \u003caddr\u003e listen ipv4 address, default: 127.0.0.1\n -B, --listen-addr6 \u003caddr\u003e listen ipv6 address, default: ::1\n -l, --listen-port \u003cport\u003e listen port number, default: 60080\n -S, --tcp-syncnt \u003ccnt\u003e change the number of tcp syn retransmits\n -c, --cache-size \u003csize\u003e udp context cache maxsize, default: 256\n -o, --udp-timeout \u003csec\u003e udp context idle timeout, default: 60\n -j, --thread-nums \u003cnum\u003e number of the worker threads, default: 1\n -n, --nofile-limit \u003cnum\u003e set nofile limit, may need root privilege\n -u, --run-user \u003cuser\u003e run as the given user, need root privilege\n -T, --tcp-only listen tcp only, aka: disable udp proxy\n -U, --udp-only listen udp only, aka: disable tcp proxy\n -4, --ipv4-only listen ipv4 only, aka: disable ipv6 proxy\n -6, --ipv6-only listen ipv6 only, aka: disable ipv4 proxy\n -R, --redirect use redirect instead of tproxy for tcp\n -r, --reuse-port enable so_reuseport for single thread\n -w, --tfo-accept enable tcp_fastopen for server socket\n -W, --tfo-connect enable tcp_fastopen for client socket\n -v, --verbose print verbose log, affect performance\n -V, --version print ipt2socks version number and exit\n -h, --help print ipt2socks help information and exit\n```\n\n- `-s`选项:socks5 服务器的 IP 地址,默认为 127.0.0.1。\n- `-p`选项:socks5 服务器的监听端口,默认为 1080。\n- `-a`选项:socks5 代理认证的用户(若需要认证)。\n- `-k`选项:socks5 代理认证的密码(若需要认证)。\n- `-b`选项:本地 IPv4 监听地址,默认为 127.0.0.1。\n- `-B`选项:本地 IPv6 监听地址,默认为 ::1。\n- `-l`选项:本地 IPv4/6 监听端口,默认为 60080。\n- `-S`选项:与 socks5 服务器建立 TCP 连接的超时参数。\n- `-c`选项:UDP 上下文的最大数量,默认为 256 个。\n- `-o`选项:UDP 上下文的超时时间,默认为 60 秒。\n- `-j`选项:需要启动的工作线程数量,默认为单个线程。\n- `-n`选项:设置 ipt2socks 进程可打开的文件描述符限制。\n- `-u`选项:即 run-as-user 功能,需要 root 权限才能生效。\n- `-T`选项:仅启用 TCP 透明代理,也即关闭 UDP 透明代理。\n- `-U`选项:仅启用 UDP 透明代理,也即关闭 TCP 透明代理。\n- `-4`选项:仅启用 IPv4 透明代理,也即关闭 IPv6 透明代理。\n- `-6`选项:仅启用 IPv6 透明代理,也即关闭 IPv4 透明代理。\n- `-R`选项:使用 REDIRECT(DNAT) 而非 TPROXY(针对 TCP)。\n- `-r`选项:若指定,则即使是单线程模式,也设置端口重用。\n- `-w`选项:启用服务端的 TCP_Fast_Open(应设好内核参数)。\n- `-W`选项:启用客户端的 TCP_Fast_Open(应设好内核参数)。\n- `-v`选项:若指定此选项,则将会打印较为详尽的运行时日志。\n\n## 以普通用户运行\n\n- `sudo setcap cap_net_bind_service,cap_net_admin+ep /usr/local/bin/ipt2socks`\n- 如果以 root 用户启动 ipt2socks,也可以指定 `-u nobody` 选项切换至 `nobody` 用户\n\n## nofile limit\n\n由于透明代理需要消耗较多文件描述符,为确保最佳体验,请务必留意 ipt2socks 的 nofile limit(可同时打开的文件描述符数量),默认的 nofile limit 非常小,对于透明代理场景基本是不够用的。\n\n从 v1.1.4 版本开始,ipt2socks 启动时将打印进程的 nofile limit 信息,请确保这个值至少在 10000 以上(很多系统默认是 1024),你可以选择使用 `-n` 选项调整此限制(需要 CAP_SYS_RESOURCE 权限),也可以使用其他方式,如 systemd service 文件的 `LimitNOFILE`、`/etc/security/limits.conf` 配置文件。\n","funding_links":[],"categories":["C"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzfl9%2Fipt2socks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzfl9%2Fipt2socks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzfl9%2Fipt2socks/lists"}