Initial commit

2025-09-26 20:31:14 +08:00 · 2022-08-15 18:40:04 +08:00
commit 8b0fc1bac7
13 changed files with 449 additions and 0 deletions
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -0,0 +1,41 @@
+name: CI
+
+on:
+  push:
+  
+env:
+  DOCKERHUB_REPO: alozxy/trav
+
+jobs:
+  docker:
+
+    runs-on: ubuntu-latest
+    
+    steps:
+    
+      - name: Checkout
+        uses: actions/checkout@v2
+      
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          
+      - name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: |
+            linux/amd64
+            linux/arm/v7
+            linux/arm64
+          push: true
+          tags: |
+            ${{ env.DOCKERHUB_REPO }}:latest
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,16 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+client/trav
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
--- a/17
+++ b/17
@@ -0,0 +1,17 @@
+FROM golang:1.19 AS build
+
+COPY . /building
+WORKDIR /building/client
+
+RUN go build -o trav 
+
+
+FROM debian:11
+
+COPY --from=build /building/client/trav /usr/bin/trav
+COPY --from=build /building/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+RUN apt update && apt install -y iptables
+
+ENTRYPOINT ["/entrypoint.sh"]
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Alozxy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/README.md
+++ b/README.md
@@ -0,0 +1,2 @@
+# trav
+A simple tool to expose a local port to public network behind nat1 firewall
--- a/client/go.mod
+++ b/client/go.mod
@@ -0,0 +1,8 @@
+module trav
+
+go 1.19
+
+require (
+	github.com/google/gopacket v1.1.19
+	github.com/pion/stun v0.3.5
+)
--- a/client/go.sum
+++ b/client/go.sum
@@ -0,0 +1,16 @@
+github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
+github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
+github.com/pion/stun v0.3.5 h1:uLUCBCkQby4S1cf6CGuR9QrVOKcvUwFeemaC865QHDg=
+github.com/pion/stun v0.3.5/go.mod h1:gDMim+47EeEtfWogA37n6qXZS88L5V6LqFcf+DZA2UA=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/client/ipt.go
+++ b/client/ipt.go
@@ -0,0 +1,71 @@
+package main
+
+import (
+	"log"
+	"os"
+	"os/exec"
+	"strconv"
+)
+
+func set_rule_v4(local_port uint16, redir_port uint16) {
+
+	if out, err := exec.Command("iptables", "-t", "nat", "-N", "TRAVERSAL").CombinedOutput(); err != nil {
+		log.Println("iptables return a non-zero value:", string(out))
+		log.Println(err)
+	}
+	if out, err := exec.Command("iptables", "-t", "nat", "-F", "TRAVERSAL").CombinedOutput(); err != nil {
+		log.Println("iptables return a non-zero value:", string(out))
+		log.Println(err)
+		os.Exit(1)
+	}
+	if out, err := exec.Command("iptables", "-t", "nat", "-D", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "TRAVERSAL").CombinedOutput(); err != nil {
+		log.Println("iptables return a non-zero value:", string(out))
+		log.Println(err)
+	}
+	if out, err := exec.Command("iptables", "-t", "nat", "-A", "TRAVERSAL", "-p", "tcp", "--dport", strconv.FormatUint(uint64(local_port), 10), "-j", "REDIRECT", "--to-ports", strconv.FormatUint(uint64(redir_port), 10)).CombinedOutput(); err != nil {
+		log.Println("iptables return a non-zero value:", string(out))
+		log.Println(err)
+		os.Exit(1)
+	}
+	if out, err := exec.Command("iptables", "-t", "nat", "-A", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "TRAVERSAL").CombinedOutput(); err != nil {
+		log.Println("iptables return a non-zero value:", string(out))
+		log.Println(err)
+		os.Exit(1)
+	}
+}
+
+func set_rule_v6() {
+
+	if out, err := exec.Command("ip6tables", "-t", "nat", "-N", "TRAVERSAL").CombinedOutput(); err != nil {
+		log.Println("ip6tables return a non-zero value:", string(out))
+		log.Println(err)
+	}
+	if out, err := exec.Command("ip6tables", "-t", "nat", "-F", "TRAVERSAL").CombinedOutput(); err != nil {
+		log.Println("ip6tables return a non-zero value:", string(out))
+		log.Println(err)
+		os.Exit(1)
+	}
+	if out, err := exec.Command("ip6tables", "-t", "nat", "-D", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "TRAVERSAL").CombinedOutput(); err != nil {
+		log.Println("ip6tables return a non-zero value:", string(out))
+		log.Println(err)
+	}
+	if out, err := exec.Command("ip6tables", "-t", "nat", "-A", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "TRAVERSAL").CombinedOutput(); err != nil {
+		log.Println("ip6tables return a non-zero value:", string(out))
+		log.Println(err)
+		os.Exit(1)
+	}
+
+}
+
+func modify_rule_v6(external_port uint16, redir_port uint16) {
+	
+	if out, err := exec.Command("ip6tables", "-t", "nat", "-F", "TRAVERSAL").CombinedOutput(); err != nil {
+		log.Println("ip6tables return a non-zero value:", string(out))
+	}
+	if out, err := exec.Command("ip6tables", "-t", "nat", "-A", "TRAVERSAL", "-p", "tcp", "--dport", strconv.FormatUint(uint64(external_port), 10), "-j", "REDIRECT", "--to-ports", strconv.FormatUint(uint64(redir_port), 10)).CombinedOutput(); err != nil {
+		log.Println("ip6tables return a non-zero value:", string(out))
+	}
+	if out, err := exec.Command("ip6tables", "-t", "nat", "-A", "TRAVERSAL", "-p", "udp", "--dport", strconv.FormatUint(uint64(external_port), 10), "-j", "REDIRECT", "--to-ports", strconv.FormatUint(uint64(redir_port), 10)).CombinedOutput(); err != nil {
+		log.Println("ip6tables return a non-zero value:", string(out))
+	}
+}
--- a/client/main.go
+++ b/client/main.go
@@ -0,0 +1,60 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"net"
+	"strconv"
+	"strings"
+	"time"
+)
+
+func syn_loop(local_port uint16, server_ip string, server_port uint16) {
+	for true {
+		send_syn(local_port, server_ip, server_port)
+		time.Sleep(1 * time.Second)
+	}
+}
+
+func main() {
+
+	var stun_server string
+	var local_port_64 uint64
+	var redir_port_64 uint64
+	var interval int
+	var enable_ipv6 bool
+	
+	flag.StringVar(&stun_server, "s", "stun.mixvoip.com:3478", "stun server address in [addr:port] format, must support stun over tcp.")
+	flag.Uint64Var(&local_port_64, "l", 12345, "local port")
+	flag.Uint64Var(&redir_port_64, "r", 14885, "redir port")
+	flag.IntVar(&interval, "i", 120, "interval between two stun request in second")
+	flag.BoolVar(&enable_ipv6, "6", false, "whether to enable ipv6 forwarding. Note that the forwarding port for ipv6 is the external port rather than local port, and will be modified when nat mapping change")
+	flag.Parse()
+
+	var local_port uint16 = uint16(local_port_64)
+	var redir_port uint16 = uint16(redir_port_64)
+
+	server_ip_list, err := net.LookupIP(strings.Split(stun_server, ":")[0])
+	if err != nil {
+		log.Fatalln("can't resolve stun server's hostname", err)
+	}
+	server_ip := server_ip_list[0].String()
+	server_port_64, err := strconv.ParseUint(strings.Split(stun_server, ":")[1], 10, 16)
+	server_port := uint16(server_port_64)
+
+	set_rule_v4(local_port, redir_port)
+	if enable_ipv6 {
+		log.Println("ipv6 firewall rule enabled")
+		set_rule_v6()
+	}
+
+	go syn_loop(local_port, server_ip, server_port)
+
+	var external_port uint16 = 0
+	for true {
+
+		request(local_port, &external_port, server_ip, server_port, redir_port, enable_ipv6)
+		time.Sleep(time.Duration(interval) * time.Second)
+	}
+
+}
--- a/client/raw.go
+++ b/client/raw.go
@@ -0,0 +1,72 @@
+package main
+
+import (
+	"log"
+	"math/rand"
+	"net"
+	"strconv"
+	"time"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+)
+
+func local_ip(server_addr string) net.IP {
+
+	conn, err := net.Dial("udp4", server_addr)
+	if err != nil {
+		log.Println("failed to get local ip")
+		log.Fatalln(err)
+	}
+	defer conn.Close()
+
+	local_addr := conn.LocalAddr().(*net.UDPAddr)
+	return local_addr.IP
+}
+
+func send_syn(local_port uint16, server_ip string, server_port uint16) {
+
+	src_ip := local_ip(server_ip + ":" + strconv.Itoa(int(server_port)))
+	dst_ip := net.ParseIP("1.0.0.1").To4()
+	src_port := layers.TCPPort(local_port)
+	dst_port := layers.TCPPort(443)
+
+	ip_header := &layers.IPv4{
+		SrcIP:    src_ip,
+		DstIP:    dst_ip,
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+	}
+
+	rand.Seed(time.Now().UnixNano())
+	tcp_header := &layers.TCP{
+		SrcPort: src_port,
+		DstPort: dst_port,
+		Seq:     rand.Uint32(),
+		SYN:     true,
+		Window:  65535,
+	}
+	tcp_header.SetNetworkLayerForChecksum(ip_header)
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{
+		ComputeChecksums: true,
+		FixLengths:       true,
+	}
+	if err := gopacket.SerializeLayers(buf, opts, tcp_header); err != nil {
+		log.Fatal(err)
+	}
+
+	conn, err := net.ListenPacket("ip4:tcp", "0.0.0.0")
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	if _, err := conn.WriteTo(buf.Bytes(), &net.IPAddr{IP: dst_ip}); err != nil {
+		log.Fatalln(err)
+	}
+	log.Println("send syn packet to " + dst_ip.String() + ":" + strconv.FormatUint(uint64(dst_port), 10))
+
+	conn.Close()
+}
--- a/client/stun.go
+++ b/client/stun.go
@@ -0,0 +1,85 @@
+package main
+
+import (
+	"log"
+	"net"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/pion/stun"
+)
+
+func request(local_port uint16, external_port *uint16, server_ip string, server_port uint16, redir_port uint16, enable_ipv6 bool) {
+
+	lAddr := &net.TCPAddr{
+		Port: int(local_port),
+	}
+	d := &net.Dialer{
+		Timeout:   5 * time.Second,
+		LocalAddr: lAddr,
+	}
+
+	stun_dial(d, local_port, external_port, server_ip, server_port, redir_port, enable_ipv6)
+}
+
+func stun_dial(d *net.Dialer, local_port uint16, external_port *uint16, server_ip string, server_port uint16, redir_port uint16, enable_ipv6 bool) {
+
+	log.Println("connecting to stun server...")
+
+	conn, err := d.Dial("tcp4", server_ip+":"+strconv.FormatUint(uint64(server_port), 10))
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	c, err := stun.NewClient(conn)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	if err = c.Do(stun.MustBuild(stun.TransactionID, stun.BindingRequest), func(res stun.Event) {
+
+		if res.Error != nil {
+			log.Println(res.Error)
+			return
+		}
+		var xorAddr stun.XORMappedAddress
+		if getErr := xorAddr.GetFrom(res.Message); getErr != nil {
+			log.Println(getErr)
+			if err := c.Close(); err != nil {
+				log.Println(err)
+				return
+			}
+			return
+		}
+		if int(*external_port) == xorAddr.Port {
+			log.Println("stun: external port:", xorAddr.Port, "no change")
+			return
+		} else {
+			log.Println("stun: external port:", xorAddr.Port, "updating file...")
+			err = os.WriteFile("/tmp/external.port", []byte(strconv.Itoa(xorAddr.Port)), 0777)
+			if err != nil {
+				log.Println(err)
+				return
+			}
+
+			if enable_ipv6 {
+				log.Println("updating ipv6 firewall rules...")
+				modify_rule_v6(uint16(xorAddr.Port), redir_port)
+			}
+
+			*external_port = uint16(xorAddr.Port)
+
+			return
+		}
+
+	}); err != nil {
+		log.Println("do:", err)
+		return
+	}
+	if err := c.Close(); err != nil {
+		log.Println(err)
+		return
+	}
+}
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+if [ $IPTABLES_BACKEND = "legacy" ]
+then
+    update-alternatives --set iptables /usr/sbin/iptables-legacy
+    update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+    update-alternatives --set arptables /usr/sbin/arptables-legacy
+    update-alternatives --set ebtables /usr/sbin/ebtables-legacy
+elif [ $IPTABLES_BACKEND = "nft" ]
+then
+    update-alternatives --set iptables /usr/sbin/iptables-nft
+    update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
+    update-alternatives --set arptables /usr/sbin/arptables-nft
+    update-alternatives --set ebtables /usr/sbin/ebtables-nft
+else
+    echo "environment variable IPTABLES_BACKEND is unrecognized, use -h for more help"
+    exit 1
+fi
+
+/usr/bin/trav $*
--- a/http-modify-query-string.py
+++ b/http-modify-query-string.py
@@ -0,0 +1,20 @@
+"""Modify HTTP query parameters."""
+from mitmproxy import http
+
+def request(flow: http.HTTPFlow) -> None:
+    try:
+        with open("/tmp/external.port") as f:
+            content = f.read()
+
+            if content.isdigit() and 1024 < int(content) < 65535 :
+                if "port" in flow.request.query and flow.request.query["port"].isdigit() :
+                    flow.request.query["port"] = content
+                    print("successfully modify port to", content)
+                else :
+                    print("url doesn't contain port parameters or port is null, skipping")
+                    return
+            else :
+                print("invalid port:", content)
+                return
+    except OSError:
+        ptinr("OSError:", OSError)