aptosid.com
Software - Transparent proxy and browser on same computer
mbod - 07.01.2011, 12:15
Post subject: Transparent proxy and browser on same computer
Hello,
I have suqid3 and squidGuard installed on my computer and iceweasel is forced to use the proxy with a system wide mozilla.cfg file. So far so good.
But what I really want is that the proxy is mandatory for every webbrowser (konqueror, chrome, firefox, lynx, etc.) on this computer.
All I can find on the internet are instructions with dedicated proxy servers with separate clients. But that does not work for me. I have one computer and this one computer needs to do both: Be a transparent proxy and execute the various browser programs.
Is it at all possible to have a transparent proxy with this setup? Your help is highly appreciated.
Thanks
Matthias
slh - 07.01.2011, 13:32
Post subject: RE: Transparent proxy and browser on same computer
The easiest way would be to put your proxy in a small headless virtual machine (kvm & virtio preferred) and treat it just like a separate system on your network. Denying applications direct access just means that they mustn't have any option to access anything on the outside, except through the proxy - while there are ways to tag packages on a per application base (or jail like approaches, think lxc/ openvz coupled with custom selinux rules and stuff), those are a lot more complex to implement.
mbod - 20.03.2011, 08:49
Post subject: found the solution
The easiest way to create a trasnparent proxy on a single PC which is browser and proxy at the same time is to use squid3 and iptables.
I found the solution here:
http://blog.bodhizazen.net/linux/how-to-transparent-proxy/
In squid.conf I needed to make the following changes:
Code:
# uncomment
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
# add
http_access allow localnet
# add "intercept"
http_port 3128 intercept
Next step is to created two rules with iptables:
Code:
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner proxy -j REDIRECT --to-port 3128
Make sure to have "iptables-persistent" installed and save the settings:
Code:
iptables-save > /etc/iptables/rules.v4
This is all. The proxy is now transparent without touching the applications. Each request for port 80 is run throught the proxy.
Matthias
slh - 22.03.2011, 02:30
Post subject: RE: found the solution
...which is nice, but doesn't drop all kinds of internet access circumventing the proxy, but just port 80 - there are 65533 other usable ports, different transport protocols and totally different means of transporting information through the internet.
All times are GMT - 12 Hours
Powered by
PNphpBB2 © 2003-2010 The Zafenio Group
Credits