How to transparent proxy

This post is in follow up to my post on dansguardian (web content filtering).

In that post I demonstrated how to configure dansguardian, iptables, and firefox the “long way” so people would understand the “basic” principles of what we were doing.

With this post I would like to show how to configure transparent proxies. Successful configuration of a transparent proxy means http traffic is automagically redirected. The advantage of this technique is that the system administrator does not need to manually configure each and every client for each and every user.

Advantage of a transparent proxy: Easy to set up (less work) and you get to show off a few nifty iptables rules.

Limitations of a transparent proxy: This technique does NOT work for ssl (https). This will thus be a trade off (very little ads / pr0n on https). If needed, you could manually configure your client (firefox) to use a proxy for https.

Note: In this post, I am assuming your default Policy in iptables is ACCEPT , if you change the default Policy to REJECT or DROP you will need to adjust the iptables rules accordingly.

In this post I will demonstrate how to do this on a single computer. The target audience is a home user needing to configure one or perhaps a few client computers.

Managing multiple computers on a large LAN is a bit complex and is thus beyond what I wanted to demonstrate in this blog. You would need to, at a minimum, set up a computer with two network interface cards – One to the internet and the second to your LAN. Squid is more common proxy in this user case (large LAN) as squid has more features. I would suggest you either look at a firewall specific distro (IPCop, IPFire, Vyatta), shorewall, or learn iptables and NAT. If you are wanting a transparent proxy on a large LAN I would refer you to one of the many how to’s on configuration of squid as a transparent proxy :

How to setup squid as a transparent proxy

Detailed how to configure squid as a transparent proxy

For this blog let us assume you have a single computer with several users and several http clients (firefox, chromium, opera, etc). Rather then configuring each and every user / client you can use a few “simple” rules in iptables.

This how to assumes you have installed and configured your proxy (tinyproxy, privoxy, squid, dansguardian). If you need to install and configure dansguardian, see my previous post on dansguardian.

I will demonstrate two user cases : privoxy alone and privoxy + dansguardian.

First user case – Privoxy

We need to configure privoxy and iptables.

Using any editor, open /etc/privoxy/config

sudo nano /etc/privoxy/config

Search (Ctrl-W) for and edit the following two lines :

Change:
listen-address localhost:8118

To:

listen-address 127.0.0.1:8118

And change

accept-intercepted-requests 0

To

accept-intercepted-requests 1

The privoxy configuration file explains these options.

Next add two rules to iptables:

sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 8118

The first line allows root (necessary if you wish to use apt-get)
The second line sets up privoxy as a transparent proxy for all users.

That’s all, no need to configure Firefox, wget, or any client.

If you use other proxies, use the appropriate user name. The user name for some common proxies are:

privoxy = privoxy
squid = proxy
tinyproxy = nobody
dansguardian = dansguardian

Second user case – Dansguardian

sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner bodhi -j REDIRECT --to-port 8118
sudo iptables -t nat -A OUTPUT -p tcp --dport 8118 -m owner ! --uid-owner dansguardian -j REDIRECT --to-port 8080
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 8080

The first line allows root (necessary if you wish to use apt-get).
The second line redirect parent’s (bodhi) to Privoxy (port 8118). Add additional users if needed. Omit this line if you wish all traffic to go through dansguardian.
The third line redirects people (other then bodhi) attempting to directly connect to privoxy (to circumvent dansguardian).
The forth line redirects children (everyone else not specifically redirected to privoxy) to dansguardian.

That’s all, no need to configure Firefox, Chromium, Opera, links, wget, or any client.

Configure iptables

The last step is to configure iptables so the above rules are active on boot.

Iptables – Use this section if you DO NOT use UFW

Set up iptables as above, then save your settings:

sudo bash -c “iptables-save > /etc/iptables.save”

Using any editor, open /etc/rc.local and add the following line (above exit 0)

iptables-restore /etc/iptables.save

exit 0

UFW – Use this section if you use UFW

Or if you use ufw you will need to manually edit /etc/ufw/before.rules. Add your rules at the bottom of the file.

The “trick” , however, is to add the proper syntax for the nat tables.

sudo nano /etc/ufw/before.rules

Add a section for nat, at the very bottom of the file, BELOW the COMMIT line (shown at the top of the edits below):

For Privoxy (without dansguardian)

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 8118

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT

Dansguardian + Privoxy

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner bodhi -j REDIRECT --to-port 8118
-A OUTPUT -p tcp -m tcp --dport 8118 -m owner ! --uid-owner dansguardian -j REDIRECT --to-port 8080
-A OUTPUT -p tcp -m tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 8080

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT

Bonus – Restrict external access to privoxy / dansguardian

Iptables

Neither Privoxy nor Dansguardian *should* accept requests from remote computers. If you wish to add rules to iptables to guarantee this, use the following:

Privoxy:

sudo iptables -A INPUT -p tcp -m tcp --dport 8118 -m state --state ESTABLISHED,RELATED -j ACCEPT

# For Localhost access only
sudo iptables -A INPUT -p tcp --dport 8118 -m state --state NEW ! -i lo -j DROP

#For access from your LAN
iptables -A INPUT -p tcp --dport 8118 -m state --state NEW ! -s 192.168.0.0/24 -j DROP

Privoxy + Dansguardian

sudo iptables -A INPUT -p tcp -m tcp --dport 8118 -m state --state ESTABLISHED,RELATED -j ACCEPT

# For Localhost access only
sudo iptables -A INPUT -p tcp -m multiport --dports 8118,8080 -m state --state NEW ! -i lo -j DROP

#For access from your LAN
iptables -A INPUT -p tcp -m multiport --dports 8118,8080 -m state --state NEW ! -s 192.168.0.0/24 -j DROP

Save your new iptables rules

sudo bash -c “iptables-save > /etc/iptables.save

UFW

Privoxy (Assuming your LAN is 192.168.0.0/24 and the Privoxy server IP is 192.168.0.10):

# Allow localhost only
sudo ufw deny 8118

Allow your LAN (assuming your LAN is 192.168.0.0/24
sudo ufw allow from 192.168.0.0/24 to 192.168.1.10 port 8118
sudo ufw deny 8118

Privoxy + Dansguardian

# Allow localhost only
sudo ufw deny 8080
sudo ufw deny 8118

Allow your LAN (assuming your LAN is 192.168.0.0/24
sudo ufw allow from 192.168.0.0/24 to 192.168.1.10 port 8080
sudo ufw allow from 192.168.0.0/24 to 192.168.1.10 port 8118
sudo ufw deny 8080
sudo ufw deny 8118

If you understand the basic principles in this post, configuring squid as a transparent proxy on a large LAN should be easier to comprehend.

This entry was posted in Linux and tagged . Bookmark the permalink.

25 Responses to How to transparent proxy

  1. Pingback: Shadows of epiphany » Blog Archive » How to transparent proxy | Linux Affinity

  2. Pingback: Tweets that mention Shadows of epiphany » Blog Archive » How to transparent proxy -- Topsy.com

  3. patrickdk says:

    Why do you list shorewall as a distro? Its nothing more than a perl script.

  4. bodhi.zazen says:

    patrickdk – thank you for bring that to my attention, I fixed that. I guess my point was to give people some guidance as to the options.

  5. duanedesign says:

    thanks bodhi. This is great. I appreciate you taking the time to create this.

  6. mbuotidem says:

    i am using dansguardian with privoxy with the steps i got from your dansguardian tutorial. now i want to follow the steps in this tutorial to enable my 2 clients to be protected using dansguardian. i believe that is what this tutorial is for. But i don’t see anything about how to configure my clients. how should my clients be configured. and by the way, do i need a special configuration due to the strange way my network operates. i connect to the internet using gsm modem. then i have two network cards. one is set to share internet to the clients through my router. and the other enables me to connect to the routers network. in that case, will the tranparent proxy work?

    thanks,

  7. mbuotidem says:

    sorry about my earlier post about clients. on-re reading the tutorial i saw that you meant http clients like browsers and not clients like other computers. this line in your post “The target audience is a home user needing to configure one or perhaps a few client computers.” totally confused me. You may want to bold the “http client” part to make it clear.

    so if i am to configure it for other computers, you are saying that privoxy may not be up to the task, right? and that i should go squids way. well, i was avoiding squid cos i heard it was slow and more difficult to configure but now i guess i have little or no choice though i wish i could have used privoxy.

    I noticed that layout of this post may be a bit confusing. I think to make it easier for newbies like me if you could post all the steps for those using only privoxy including the ufw rules under a heading called “Using Privoxy only” and then the steps for those using privoxy + dansguardian under another heading called “Using Privoxy + Dansguardian”.

    just out of curiosity, what are the benefits and drawbacks, if any of implementing the steps under the heading “Bonus – Restrict external access to privoxy / dansguardian”?

    thanks

  8. bodhi.zazen says:

    @mbuotidem :

    You can use privoxy on a gateway or as a centralized proxy, the setup is a bit different, but it will work.

    Squid is a complex proxy, and if you need the complex features it offers there is no substitute. Otherwise, if privoxy meets your needs stay with privoxy.

    The “bonus” section is for additional security. It is unnecessary if you are behind a router.

  9. bodhi.zazen says:

    @mbuotidem

    Configuration of your clients is highly dependent on your network.

    Easiest it to configure your clients. In Firefox, for example, you would configure the client to point to the proxy.

    If you want a transparent proxy, configure the proxy on the gateway. I did not blog on that, google search squid transparent proxy and adapt the iptables rules.

  10. bromium says:

    Hi, bodhi!
    I’m trying to use dansguardina + privoxy on my daughter’s laptop running under lubuntu 10.10 I’ve done everything you wrote above but had no success. Plese help! I can’t find you on irc.

  11. bodhi.zazen says:

    @bromium : Start a thread on the Ubuntu Forms and send me a PM with the link. Be sure to include additional information , what have you done so far and what seems to be wrong ?

  12. Pingback: Решаем проблему родительского контроля в Ubuntu с помощью Dansguardian и Privoxy | javadav.com

  13. Santosh says:

    I have forwarded my network http traffic to my transparent squid proxy. Below guide will help all Cisco users..

    http://www.mytricks.in/2011/08/redirect-http-traffic-from-cisco.html

  14. kelen says:

    Hi
    I did the changes in Privoxy config and added the routing but privoxy is not catching the traffic over OpenVpn or PPTP? Any suggestions?

    thanks

  15. Live says:

    Test – I can’t post anything…

  16. renzo says:

    hi bodhi,

    Due to the demand on my current workplace, i was task to set-up a proxy server to limit internet usage in terms of browsing by the user to the sites which are not work related. I used Vyatta as my web proxy and it works perfectly as expected. I was just having some serious problems on some of the techy staff that knows ho to bypass the proxy using Free online proxy that can be found on the internet.

    I was wondering if you can please help me out on how to set vyatta as a transparent webproxy rather than setting vyatta as a gateway.

    Thank you for any consideration and assistance.

    Regards,

    Lorenze

  17. bodhi.zazen says:

    @renzo – Yea, tech savvy users can be like that. You have several options. One is to ask them to stop. Another is to use a web proxy such as squid. Start blocking IP addresses , TOR exit nodes, etc. Sort of depends of corporate policy and the sensitivity of your data. Punching holes in firewalls would be grounds for termination in some environments. Good luck.

  18. Hais Wahyu Fajari says:

    Is that above tutorial also works for tor transparent proxy?

  19. bodhi.zazen says:

    @Hais Wahyu Fajari This tutorial / method should work with any proxy, just make sure you have the ports correct as different proxies use different default ports.

  20. Rob says:

    sudo nano /etc/privoxy/conf

    should be

    sudo nano /etc/privoxy/config

    You used the correct one in your other article.

  21. bodhi.zazen says:

    Thanks Rob, fixed

  22. Logan says:

    can you show the firewalls rules would be for folks using
    freebsd pf firewall

    I’m using my laptop as the client and server ..where my laptop runs the browser, firewall and squid ..

    Thanks in advance ..

  23. bodhi.zazen says:

    @Logan I have not used pf firewall, should be somewhat similar syntax.

  24. santosh says:

    I have forwarded my network http traffic to my transparent squid proxy. Below guide will help all Cisco users..

    http://www.vmwareandme.com/2013/10/guide-how-to-redirect-http-traffic-from_23.html

  25. bodhi.zazen says:

    Thank you santosh, nice write up.

Add Comment Register



Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>