transparent socks5 proxy

watch_dns_and_update_ipset.sh

ipset_name="myset"
hosts=("httpbin.org")
interval=3 #secs

while true; do
    new_iplist=()
    for host in ${hosts[@]}; do
        for ip in $(dig +noall +answer +multiline $host | awk '{print $NF}' | sort); do
            new_iplist+=($ip)
        done
        echo "check $host: ${new_iplist[@]}"
    done

    iplist=$(ipset list $ipset_name | awk 'BEGIN{flag=0}{if(flag==1) print $0; if ($0 ~ /^Members:/) { flag=1 }}')

    # remove non-exists ip addresses
    for ipp in ${iplist[@]}; do
        exists=0
        for ip in ${new_iplist[@]}; do
            if [[ $ipp == $ip ]]; then
                exists=1
                break
            fi
        done
        if [[ $exists == 0 ]]; then
            echo "del $ip"
            ipset del $ipset_name $ip
        fi
    done

    # add new ip addresses
    for ip in ${new_iplist[@]}; do
        exists=0
        for ipp in ${iplist[@]}; do
            if [[ $ipp == $ip ]]; then
                exists=1
                break
            fi
        done
        if [[ $exists == 0 ]]; then
            echo "add $ip"
            ipset add $ipset_name $ip
        fi
    done

    sleep $interval
done

direct all outgoing traffic including DNS query (force TCP) to the socks5 proxy.

iptables -t nat -N PROXY
iptables -v -t nat -A PROXY -p tcp -m multiport --dports 53,80,443 -o ens3 -j REDIRECT --to-ports 12345
iptables -t nat -I OUTPUT 1 -j PROXY
iptables -t nat -I PREROUTING 1 -j PROXY
iptables -A OUTPUT -p udp --dport 53 -j REJECT --reject-with icmp-proto-unreachable

/etc/systemd/resolved.conf

[Resolve]
DNS=1.1.1.1
DNSOverTLS=opportunistic

/etc/resolv.conf

nameserver 127.0.0.53
options edns0 trust-ad use-vc
search .