Tip

If you find some discrepancy or missing information - open a GitHub issue

Was this information useful? Then star the repository on GitHub

Proxy Tool - GOST

Warning

This tool can be used to hide/forward malicious network traffic.

That can be illegal => you are warned.

---

Introduction

GOST is a tool for proxying pretty much anything and anyhow you want/need to.

Check out the nice documentation!

It can act as proxy server and client/forwarder.

If you need to be able to route some traffic through some kind of proxy - this is the tool for you!

It can proxy:

• TLS Tunnel

• HTTP/HTTPS Tunnel

• PROXY Protocol

• DNAT/REDIRECT Traffic (originated from the same host))

• TRPOXY integration

• ICMP tunnel

• And has many more hacky features

---

Forwarding to HTTP Proxy

# NFTables =TCP=> TPROXY (forwarder @ 127.0.0.1) =HTTP[TCP]=> PROXY (squid http_port)

The current implementation of HTTP-forwarding in gost does not work correctly.

Problems:

• HTTP not working (always wants to tunnel over HTTP-CONNECT)

• HTTPS over IPv6 not working

Solution:

I’ve created a patched version of gost for exactly this purpose: proxy-forwarder

DNAT

You can use it to catch DNAT traffic and forward it to a remote proxy-server like squid:

proxy-forwarder -P 4128 -F http://192.168.10.20:3128
# creates tcp & udp listeners for IPv4 & IPv6 on localhost:4128

# NAT non-internal targets to the proxy
## nftables
nft add rule nat output ip daddr != { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 } tcp dport { 80, 443 } dnat to 127.0.0.1:3128

## iptables
iptables -t nat -A OUTPUT -p tcp ! -d 172.22.0.0/12 --dport 443 -j DNAT --to-destination 127.0.0.1:3128
iptables -t nat -A OUTPUT -p tcp ! -d 172.22.0.0/12 --dport 80 -j DNAT --to-destination 127.0.0.1:3128

TPROXY

If you want to also proxy UDP traffic - you might want to use the TPROXY integration:

proxy-forwarder -P 4128 -F http://192.168.10.20:3128 -T

# to also set a fw-mark on processed traffic
proxy-forwarder -P 4128 -F http://192.168.10.20:3128 -T -M 100

Config Examples:

• IPTables TPROXY

• NFTables TPROXY

Privileges

You can run GOST TPROXY-mode with non-root users if you add a capability to the binary:

sudo setcap cap_net_raw+ep /usr/local/bin/gost
sudo chown root:gost /usr/local/bin/gost
chmod 750 /usr/local/bin/gost