proxychains和graftcp和cgproxy使用方法

前言

proxychains新的版本已经称为proxychains-ng由rofl0r托管在GitHub中维护，一般使用proxychains用于加速更新和下载国外的一些开源组件，比如yum和pip。proxychains使用十分简单，甚至都不必编译安装。

新的代理方案可以由proxychains-ng过渡到graftcp或者cgproxy

更新历史

2022年11月07日 - 增加graftcp和cgproxy
2017年04月16日 - 初稿

阅读原文 - https://wsgzao.github.io/post/proxychains/

扩展阅读

proxychains-ng - https://github.com/rofl0r/proxychains-ng

---

proxychains 简介

ProxyChains is a UNIX program, that hooks network-related libc functions in DYNAMICALLY LINKED programs via a preloaded DLL (dlsym(), LD_PRELOAD) and redirects the connections through SOCKS4a/5 or HTTP proxies. It supports TCP only (no UDP/ICMP etc).

The way it works is basically a HACK; so it is possible that it doesn’t work with your program, especially when it’s a script, or starts numerous processes like background daemons or uses dlopen() to load “modules” (bug in glibc dynlinker).

It should work with simple compiled (C/C++) dynamically linked programs though.

If your program doesn’t work with proxychains, consider using an iptables based solution instead; this is much more robust.

Supported Platforms: Linux, BSD, Mac.

proxychains 安装配置

# needs a working C compiler, preferably gcc
yum install gcc -y
./configure --prefix=/usr --sysconfdir=/etc
make
[optional] sudo make install
[optional] sudo make install-config (installs proxychains.conf)

# if you dont install, you can use proxychains from the build directory like this: 
./proxychains4 -f src/proxychains.conf telnet google.com 80

# 一般编辑proxychains.conf添加socks5地址即可立即使用
vim /etc/proxychains.conf

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 	127.0.0.1 9050
socks5 172.28.70.26 1080

# 测试
[root@centos7 ~]# curl myip.ipip.net
当前 IP：116.228.53.149  来自于：中国 上海 上海  电信
[root@centos7 ~]# proxychains4 curl myip.ipip.net
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.12
[proxychains] Strict chain  ...  172.28.70.26:1080  ...  myip.ipip.net:80  ...  OK
当前 IP：45.79.192.22  来自于：美国 乔治亚州 亚特兰大  linode.com

proxychains.conf 配置文件

[root@centos7 ~]# cat /etc/proxychains.conf 
# proxychains.conf  VER 4.x
#
#        HTTP, SOCKS4a, SOCKS5 tunneling proxifier with DNS.


# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
#dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
strict_chain
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#round_robin_chain
#
# Round Robin - Each connection will be done via chained proxies
# of chain_len length
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped).
# the start of the current proxy chain is the proxy after the last
# proxy in the previously invoked proxy chain.
# if the end of the proxy chain is reached while looking for proxies
# start at the beginning again.
# otherwise EINTR is returned to the app
# These semantics are not guaranteed in a multithreaded environment.
#
#random_chain
#
# Random - Each connection will be done via random proxy
# (or proxy chain, see  chain_len) from the list.
# this option is good to test your IDS :)

# Make sense only if random_chain or round_robin_chain
#chain_len = 2

# Quiet mode (no output from library)
#quiet_mode

# Proxy DNS requests - no leak for DNS data
proxy_dns 

# set the class A subnet number to use for the internal remote DNS mapping
# we use the reserved 224.x.x.x range by default,
# if the proxified app does a DNS request, we will return an IP from that range.
# on further accesses to this ip we will send the saved DNS name to the proxy.
# in case some control-freak app checks the returned ip, and denies to 
# connect, you can use another subnet, e.g. 10.x.x.x or 127.x.x.x.
# of course you should make sure that the proxified app does not need
# *real* access to this subnet. 
# i.e. dont use the same subnet then in the localnet section
#remote_dns_subnet 127 
#remote_dns_subnet 10
remote_dns_subnet 224

# Some timeouts in milliseconds
tcp_read_time_out 15000
tcp_connect_time_out 8000

### Examples for localnet exclusion
## localnet ranges will *not* use a proxy to connect.
## Exclude connections to 192.168.1.0/24 with port 80
# localnet 192.168.1.0:80/255.255.255.0

## Exclude connections to 192.168.100.0/24
# localnet 192.168.100.0/255.255.255.0

## Exclude connections to ANYwhere with port 80
# localnet 0.0.0.0:80/0.0.0.0

## RFC5735 Loopback address range
## if you enable this, you have to make sure remote_dns_subnet is not 127
## you'll need to enable it if you want to use an application that 
## connects to localhost.
# localnet 127.0.0.0/255.0.0.0

## RFC1918 Private Address Ranges
# localnet 10.0.0.0/255.0.0.0
# localnet 172.16.0.0/255.240.0.0
# localnet 192.168.0.0/255.255.0.0

# ProxyList format
#       type  ip  port [user pass]
#       (values separated by 'tab' or 'blank')
#
#       only numeric ipv4 addresses are valid
#
#
#        Examples:
#
#            	socks5	192.168.67.78	1080	lamer	secret
#		http	192.168.89.3	8080	justu	hidden
#	 	socks4	192.168.1.49	1080
#	        http	192.168.39.93	8080	
#		
#
#       proxy types: http, socks4, socks5
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 	127.0.0.1 9050

环境变量代理设置

翻墙代理是用于访问 github 等不能直接访问的连接使用。

# 使用时 export http_proxy; export https_proxy
export http_proxy=xxx
export https_proxy=xxx
export no_proxy=xxx

# 使用完立刻 unset http_proxy; unset https_proxy

vim ~/.bashrc
with_proxy(){
   HTTPS_PROXY=http://xxx HTTP_PROXY=http://xxx "$@"
}

with_proxy git clone https://github.com/wsgzao/sersync.git

Similar projects

There are some awesome existing work:

• graftcp: work on most programs, but cannot proxy UDP (such as DNS) requests. graftcp also has performance hit on the underlying program, since it uses ptrace.
• proxychains: easy to use, but not working on static linked programs (such as Go programs).
• proxychains-ng: similar to proxychains.
• cgproxy: cgproxy also uses cgroup to do transparent proxy, and the idea is similar to cproxy‘s. There are some differences in UX and system requirements:
  • cgproxy requires system cgroup v2 support, while cproxy works with both v1 and v2.
  • cgproxy requires a background daemon process cgproxyd running, while cproxy does not.
  • cgproxy requires tproxy, which is optional in cproxy.
  • cgproxy can be used to do global proxy, while cproxy does not intended to support global proxy.

一个支持节点与订阅链接的 Linux 命令行代理工具 | A command-line tool for one-click proxy in your research and development without installing v2ray or anything else (only for linux)

gg 是一个命令行工具，可在 Linux 环境下对任意命令进行一键代理，而无需安装 v2ray 等其他工具。

你只需要在想代理的命令之前添加 gg 即可，例如: gg python -m pip install torch.

感谢 graftcp 带来的灵感，gg 是它的一个纯 Go 语言实现，并且拥有更多的有用特性。

我为什么编写 go-graft？

我已经厌倦了我在科研和开发中所遇到的糟糕的网络状况。但我并不希望在我的几台工作服务器上安装 v2ray，因为它太笨重了，且配置麻烦。

因此，我需要一个轻巧便携的命令行工具来帮助我在各种服务器上下载和安装依赖项和软件。

优势

相比较于 proxychains 或 graftcp，go-graft 拥有以下优势:

1. gg 下载即用，不需要安装任何额外的工具。
2. 支持 UDP，从而有效应对 DNS 污染。
3. 支持 Go 语言编写的程序。见 applications built by Go can not be hook by proxychains-ng 。

https://github.com/mzz2017/gg