Friday, April 27, 2012

Transparent Proxy on Linux using redsocks


  Adapted form    http://pritambaral.com/2012/04/transparent-proxy-on-linux/ 

This post is targeted at those Linux users behind a network proxy   but cannot set it in an app, or are just plain lazy to go about telling every app to use a proxy. I’ll give a quick rundown of the instructions for those in haste, with geeky details following towards the end. I’m assuming a fairly recent distro here, and I’m targeting the Ubuntu 12.04 release.

What we’ll need:

  • A Linux OS (obviously!)
  • redsocks (an app, check in your repos, or compile it yourself)
  • a text-editor
 On Ubuntu, we have another package that we’ll need, iptables-persistent. But before we install it, let’s set some rules (iptables rules.) Don’t worry, it’s nothing but a bunch a lines in a text file.
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -d 10.0.0.0/8 -j RETURN
-A OUTPUT -d 127.0.0.0/8 -j RETURN
-A OUTPUT -d 192.168.0.0/16 -j RETURN
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:5123
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:5124
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:5123
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:5124
COMMIT
I saved it as redirect.rules and ran this command:
sudo iptables-restore ./redirect.rules
Now we shall install the package iptables-persitent. During the installation, it will ask you whether you want to save the current rules. Yes, you do. The redirection’s been set-up. Time to get the juicer running.
Install redsocks (if you haven’t already.) Save this in the file /etc/redsocks.conf
base {
 log_debug = off;
 log_info = off;
 log = "stderr";
 daemon = on;
 user = redsocks;
 group = redsocks;
 redirector = iptables;
}
redsocks {
 /* `local_ip' defaults to 127.0.0.1 for security reasons,
 * use 0.0.0.0 if you want to listen on every interface.
 * `local_*' are used as port to redirect to.
 */
 local_ip = 127.0.0.1;
 local_port = 5123;
// `ip' and `port' are IP and tcp-port of proxy-server
 ip = 10.201.13.50;
 port = 80;
// known types: socks4, socks5, http-connect, http-relay
 type = http-relay;
login = "LDAP ID HERE";
 password = "LDAP PASSWORD HERE";
}
redsocks {
 local_ip = 127.0.0.1;
 local_port = 5124;
ip = 10.201.13.50;
 port = 80;
type = http-connect;
login = "LDAP ID HERE TOO";
 password = "LDAP PASSWORD HERE TOO";
}
Make sure you feed your own LDAP IDs and passwords. AT BOTH LOCATIONS. Feed your password as-it-is, no matter what special character it has. (Unless, of course, it’s a double-quote itself! Bit of a soup there.)
Now either restart your system, or run sudo service redsocks start
Voila! You have the ultimate solution to proxy! You may (or may-not) set a proxy in Gnome, Firefox, wget, gedit, whatever; it will work. This will not interfere with what you have set in Chrome/Firefox/whatever. In fact, I recommend that you explicitly set a proxy wherever you can. You see, redsocks has a knack of getting in a bundle sometimes (too many pending requests…,) in which case, a simple sudo service redsocks restart should suffice.

This also “fixes” those apps which provide no method of setting a proxy whatsoever, e.g, Gwibber. Sadly, unsupported protocols still won’t work. Sorry, no Thunderbird, no torrents, no irc.
PS: This is the exact same method used by the Android app ProxyDroid to provide system-wide proxy on rooted Android devices.

1 comment:

Anonymous said...

iptables-persitent must be iptables-persistent