aptosid.com

Software - Transparent proxy and browser on same computer
mbod - 07.01.2011, 12:15
Post subject: Transparent proxy and browser on same computer
Hello,

I have suqid3 and squidGuard installed on my computer and iceweasel is forced to use the proxy with a system wide mozilla.cfg file. So far so good.

But what I really want is that the proxy is mandatory for every webbrowser (konqueror, chrome, firefox, lynx, etc.) on this computer.

All I can find on the internet are instructions with dedicated proxy servers with separate clients. But that does not work for me. I have one computer and this one computer needs to do both: Be a transparent proxy and execute the various browser programs.

Is it at all possible to have a transparent proxy with this setup? Your help is highly appreciated.

Thanks
Matthias
slh - 07.01.2011, 13:32
Post subject: RE: Transparent proxy and browser on same computer
The easiest way would be to put your proxy in a small headless virtual machine (kvm & virtio preferred) and treat it just like a separate system on your network. Denying applications direct access just means that they mustn't have any option to access anything on the outside, except through the proxy - while there are ways to tag packages on a per application base (or jail like approaches, think lxc/ openvz coupled with custom selinux rules and stuff), those are a lot more complex to implement.
mbod - 20.03.2011, 08:49
Post subject: found the solution
The easiest way to create a trasnparent proxy on a single PC which is browser and proxy at the same time is to use squid3 and iptables.

I found the solution here:
http://blog.bodhizazen.net/linux/how-to-transparent-proxy/

In squid.conf I needed to make the following changes:
      Code:
# uncomment
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
# add
http_access allow localnet
# add "intercept"
http_port 3128 intercept


Next step is to created two rules with iptables:
      Code:
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner proxy -j REDIRECT --to-port 3128


Make sure to have "iptables-persistent" installed and save the settings:
      Code:
iptables-save > /etc/iptables/rules.v4


This is all. The proxy is now transparent without touching the applications. Each request for port 80 is run throught the proxy.

Matthias
slh - 22.03.2011, 02:30
Post subject: RE: found the solution
...which is nice, but doesn't drop all kinds of internet access circumventing the proxy, but just port 80 - there are 65533 other usable ports, different transport protocols and totally different means of transporting information through the internet.
All times are GMT - 12 Hours
Powered by PNphpBB2 © 2003-2010 The Zafenio Group
Credits