This post is in follow up to my post on dansguardian (web content filtering).
In that post I demonstrated how to configure dansguardian, iptables, and firefox the “long way” so people would understand the “basic” principles of what we were doing.
With this post I would like to show how to configure transparent proxies. Successful configuration of a transparent proxy means http traffic is automagically redirected. The advantage of this technique is that the system administrator does not need to manually configure each and every client for each and every user.
Advantage of a transparent proxy: Easy to set up (less work) and you get to show off a few nifty iptables rules.
Limitations of a transparent proxy: This technique does NOT work for ssl (https). This will thus be a trade off (very little ads / pr0n on https). If needed, you could manually configure your client (firefox) to use a proxy for https.
Note: In this post, I am assuming your default Policy in iptables is ACCEPT , if you change the default Policy to REJECT or DROP you will need to adjust the iptables rules accordingly.
In this post I will demonstrate how to do this on a single computer. The target audience is a home user needing to configure one or perhaps a few client computers.
Managing multiple computers on a large LAN is a bit complex and is thus beyond what I wanted to demonstrate in this blog. You would need to, at a minimum, set up a computer with two network interface cards – One to the internet and the second to your LAN. Squid is more common proxy in this user case (large LAN) as squid has more features. I would suggest you either look at a firewall specific distro (IPCop, IPFire, Vyatta), shorewall, or learn iptables and NAT. If you are wanting a transparent proxy on a large LAN I would refer you to one of the many how to’s on configuration of squid as a transparent proxy :
How to setup squid as a transparent proxy
Detailed how to configure squid as a transparent proxy
For this blog let us assume you have a single computer with several users and several http clients (firefox, chromium, opera, etc). Rather then configuring each and every user / client you can use a few “simple” rules in iptables.
This how to assumes you have installed and configured your proxy (tinyproxy, privoxy, squid, dansguardian). If you need to install and configure dansguardian, see my previous post on dansguardian.
I will demonstrate two user cases : privoxy alone and privoxy + dansguardian.
First user case – Privoxy
We need to configure privoxy and iptables.
Using any editor, open /etc/privoxy/config
sudo nano /etc/privoxy/config
Search (Ctrl-W) for and edit the following two lines :
Change:
listen-address localhost:8118
To:
listen-address 127.0.0.1:8118
And change
accept-intercepted-requests 0
To
accept-intercepted-requests 1
The privoxy configuration file explains these options.
Next add two rules to iptables:
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 8118
The first line allows root (necessary if you wish to use apt-get)
The second line sets up privoxy as a transparent proxy for all users.
That’s all, no need to configure Firefox, wget, or any client.
If you use other proxies, use the appropriate user name. The user name for some common proxies are:
privoxy = privoxy
squid = proxy
tinyproxy = nobody
dansguardian = dansguardian
Second user case – Dansguardian
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner bodhi -j REDIRECT --to-port 8118
sudo iptables -t nat -A OUTPUT -p tcp --dport 8118 -m owner ! --uid-owner dansguardian -j REDIRECT --to-port 8080
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 8080
The first line allows root (necessary if you wish to use apt-get).
The second line redirect parent’s (bodhi) to Privoxy (port 8118). Add additional users if needed. Omit this line if you wish all traffic to go through dansguardian.
The third line redirects people (other then bodhi) attempting to directly connect to privoxy (to circumvent dansguardian).
The forth line redirects children (everyone else not specifically redirected to privoxy) to dansguardian.
That’s all, no need to configure Firefox, Chromium, Opera, links, wget, or any client.
Configure iptables
The last step is to configure iptables so the above rules are active on boot.
Iptables – Use this section if you DO NOT use UFW
Set up iptables as above, then save your settings:
sudo bash -c “iptables-save > /etc/iptables.save”
Using any editor, open /etc/rc.local and add the following line (above exit 0)
iptables-restore /etc/iptables.save
exit 0
UFW – Use this section if you use UFW
Or if you use ufw you will need to manually edit /etc/ufw/before.rules. Add your rules at the bottom of the file.
The “trick” , however, is to add the proper syntax for the nat tables.
sudo nano /etc/ufw/before.rules
Add a section for nat, at the very bottom of the file, BELOW the COMMIT line (shown at the top of the edits below):
For Privoxy (without dansguardian)
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 8118
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT
Dansguardian + Privoxy
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner bodhi -j REDIRECT --to-port 8118
-A OUTPUT -p tcp -m tcp --dport 8118 -m owner ! --uid-owner dansguardian -j REDIRECT --to-port 8080
-A OUTPUT -p tcp -m tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 8080
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT
Bonus – Restrict external access to privoxy / dansguardian
Iptables
Neither Privoxy nor Dansguardian *should* accept requests from remote computers. If you wish to add rules to iptables to guarantee this, use the following:
Privoxy:
sudo iptables -A INPUT -p tcp -m tcp --dport 8118 -m state --state ESTABLISHED,RELATED -j ACCEPT
# For Localhost access only
sudo iptables -A INPUT -p tcp --dport 8118 -m state --state NEW ! -i lo -j DROP
#For access from your LAN
iptables -A INPUT -p tcp --dport 8118 -m state --state NEW ! -s 192.168.0.0/24 -j DROP
Privoxy + Dansguardian
sudo iptables -A INPUT -p tcp -m tcp --dport 8118 -m state --state ESTABLISHED,RELATED -j ACCEPT
# For Localhost access only
sudo iptables -A INPUT -p tcp -m multiport --dports 8118,8080 -m state --state NEW ! -i lo -j DROP
#For access from your LAN
iptables -A INPUT -p tcp -m multiport --dports 8118,8080 -m state --state NEW ! -s 192.168.0.0/24 -j DROP
Save your new iptables rules
sudo bash -c “iptables-save > /etc/iptables.save
UFW
Privoxy (Assuming your LAN is 192.168.0.0/24 and the Privoxy server IP is 192.168.0.10):
# Allow localhost only
sudo ufw deny 8118
Allow your LAN (assuming your LAN is 192.168.0.0/24
sudo ufw allow from 192.168.0.0/24 to 192.168.1.10 port 8118
sudo ufw deny 8118
Privoxy + Dansguardian
# Allow localhost only
sudo ufw deny 8080
sudo ufw deny 8118
Allow your LAN (assuming your LAN is 192.168.0.0/24
sudo ufw allow from 192.168.0.0/24 to 192.168.1.10 port 8080
sudo ufw allow from 192.168.0.0/24 to 192.168.1.10 port 8118
sudo ufw deny 8080
sudo ufw deny 8118
If you understand the basic principles in this post, configuring squid as a transparent proxy on a large LAN should be easier to comprehend.
Pingback: Shadows of epiphany » Blog Archive » How to transparent proxy | Linux Affinity
Pingback: Tweets that mention Shadows of epiphany » Blog Archive » How to transparent proxy -- Topsy.com
Why do you list shorewall as a distro? Its nothing more than a perl script.
patrickdk – thank you for bring that to my attention, I fixed that. I guess my point was to give people some guidance as to the options.
thanks bodhi. This is great. I appreciate you taking the time to create this.
i am using dansguardian with privoxy with the steps i got from your dansguardian tutorial. now i want to follow the steps in this tutorial to enable my 2 clients to be protected using dansguardian. i believe that is what this tutorial is for. But i don’t see anything about how to configure my clients. how should my clients be configured. and by the way, do i need a special configuration due to the strange way my network operates. i connect to the internet using gsm modem. then i have two network cards. one is set to share internet to the clients through my router. and the other enables me to connect to the routers network. in that case, will the tranparent proxy work?
thanks,
sorry about my earlier post about clients. on-re reading the tutorial i saw that you meant http clients like browsers and not clients like other computers. this line in your post “The target audience is a home user needing to configure one or perhaps a few client computers.” totally confused me. You may want to bold the “http client” part to make it clear.
so if i am to configure it for other computers, you are saying that privoxy may not be up to the task, right? and that i should go squids way. well, i was avoiding squid cos i heard it was slow and more difficult to configure but now i guess i have little or no choice though i wish i could have used privoxy.
I noticed that layout of this post may be a bit confusing. I think to make it easier for newbies like me if you could post all the steps for those using only privoxy including the ufw rules under a heading called “Using Privoxy only” and then the steps for those using privoxy + dansguardian under another heading called “Using Privoxy + Dansguardian”.
just out of curiosity, what are the benefits and drawbacks, if any of implementing the steps under the heading “Bonus – Restrict external access to privoxy / dansguardian”?
thanks
@mbuotidem :
You can use privoxy on a gateway or as a centralized proxy, the setup is a bit different, but it will work.
Squid is a complex proxy, and if you need the complex features it offers there is no substitute. Otherwise, if privoxy meets your needs stay with privoxy.
The “bonus” section is for additional security. It is unnecessary if you are behind a router.
@mbuotidem
Configuration of your clients is highly dependent on your network.
Easiest it to configure your clients. In Firefox, for example, you would configure the client to point to the proxy.
If you want a transparent proxy, configure the proxy on the gateway. I did not blog on that, google search squid transparent proxy and adapt the iptables rules.
Hi, bodhi!
I’m trying to use dansguardina + privoxy on my daughter’s laptop running under lubuntu 10.10 I’ve done everything you wrote above but had no success. Plese help! I can’t find you on irc.
@bromium : Start a thread on the Ubuntu Forms and send me a PM with the link. Be sure to include additional information , what have you done so far and what seems to be wrong ?
Pingback: Решаем проблему родительского контроля в Ubuntu с помощью Dansguardian и Privoxy | javadav.com
I have forwarded my network http traffic to my transparent squid proxy. Below guide will help all Cisco users..
http://www.mytricks.in/2011/08/redirect-http-traffic-from-cisco.html
Hi
I did the changes in Privoxy config and added the routing but privoxy is not catching the traffic over OpenVpn or PPTP? Any suggestions?
thanks
Test – I can’t post anything…
hi bodhi,
Due to the demand on my current workplace, i was task to set-up a proxy server to limit internet usage in terms of browsing by the user to the sites which are not work related. I used Vyatta as my web proxy and it works perfectly as expected. I was just having some serious problems on some of the techy staff that knows ho to bypass the proxy using Free online proxy that can be found on the internet.
I was wondering if you can please help me out on how to set vyatta as a transparent webproxy rather than setting vyatta as a gateway.
Thank you for any consideration and assistance.
Regards,
Lorenze
@renzo – Yea, tech savvy users can be like that. You have several options. One is to ask them to stop. Another is to use a web proxy such as squid. Start blocking IP addresses , TOR exit nodes, etc. Sort of depends of corporate policy and the sensitivity of your data. Punching holes in firewalls would be grounds for termination in some environments. Good luck.
Is that above tutorial also works for tor transparent proxy?
@Hais Wahyu Fajari This tutorial / method should work with any proxy, just make sure you have the ports correct as different proxies use different default ports.
sudo nano /etc/privoxy/conf
should be
sudo nano /etc/privoxy/config
You used the correct one in your other article.
Thanks Rob, fixed
can you show the firewalls rules would be for folks using
freebsd pf firewall
I’m using my laptop as the client and server ..where my laptop runs the browser, firewall and squid ..
Thanks in advance ..
@Logan I have not used pf firewall, should be somewhat similar syntax.