LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-16-2005, 05:51 PM   #1
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Rep: Reputation: 30
Red face Lan gateway with tor and privoxy


I have a linux gateway i want to make to tor lan's http requests to the internet .I was thinking to run tor on each computer in the lan and have 1 privoxy on the gateway.iptables is this way:
$IPTABLES -t nat -A PREROUTING -p tcp -i eth1 -s 192.168.1.1/255.255.255.0 --dport 80 -j REDIRECT --to-port 8118
$IPTABLES -A INPUT -i lo --dport 9050 -j ACCEPT.
That's wrong but a start.
gabriele
p.s.
thanx linuxquestions.org
 
Old 12-17-2005, 03:53 AM   #2
DaveG
Member
 
Registered: Nov 2001
Location: London, UK
Distribution: Fedora 16
Posts: 160

Rep: Reputation: 41
What you are suggesting here is a "transparent proxy" where the clients do not know they are being redirected. You WILL have problems.

Much better to set up the client browsers to use your proxy, as a proxy.

Most browsers can be configured to access local content directly while using the proxy for internet content. You can even set up a Java PROXY.PAC file somewhere to automate the process and/or do more complex routing - you do not want to download software through the privoxy filters - they could corrupt the data.
 
Old 12-19-2005, 02:19 AM   #3
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Original Poster
Rep: Reputation: 30
what do you think of the above iptables to let anonymous serfing out of my gateway ?Recently i got squid too,but i'm messing up with privoxy.I want squid for webcaching,privoxy e tor for anonymize the browsers output connections.i would like to deasable nearly all the content filtering of privoxy is massing up with the content filtering i already have on the front router,so i have most of my web surfing stopped,at the end i don't care to see few babes it's always good,anyway the router already does that efficiently.Consider i have a router gateway ---> linuxbox-firewall(iptables -P DROP on all chains) ----switch---webserver(open to pubblic)---2otherboxes-- !
 
Old 12-20-2005, 03:33 AM   #4
DaveG
Member
 
Registered: Nov 2001
Location: London, UK
Distribution: Fedora 16
Posts: 160

Rep: Reputation: 41
Redirecting HTTP to a proxy will cause problems. If your client browser cannot use a proxy directly, get another browser. You will probably want to use a Java proxy configuration file if you need other protocols etc.

Redirection can also fail. What would happen if the URL includes a port number other than 80? e.g. http://www.linuxquestions.com:8080/. With redirection, the browser will try to connect directly, bypassing privoxy, squid and TOR. Using a full proxy and blocking ALL other access provides a better and more secure solution: The ONLY way to get the internet is through the proxy (also shows up spyware!). You could even consider turning off IP forwarding in the firewall for the ultimate in security but you would need a secure proxy for each protocol e.g. DNS, IMAP/POP, FTP, IRC, VoIP etc.

For my small network I decided that squid was too much hastle. I rely on the browsers to do their own caching but is is possible to configure squid to use privoxy as it's next up-stream proxy. I also run an Apache web server to provide local content and a simple proxy for FTP and selected web sites to bypass privoxy. This covers the problem of web pages including FTP content just to get your IP address.

Privoxy can be configured to just filter the headers and not the content. It should also run faster since it won't need to buffer web pages for filtering.

If your main concern is "information leakage" then your firewall should not do any forwarding at all. Everything should go through a proxy or local service where you decide on the security policy.
 
Old 12-22-2005, 08:39 AM   #5
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Original Poster
Rep: Reputation: 30
Talking Lan gateway with tor and privoxy

You wrote:"For my small network I decided that squid was too much hastle. I rely
on the browsers to do their own caching but is is possible to configure
squid to use privoxy as it's next up-stream proxy. I also run an Apache
web server to provide local content and a simple proxy for FTP and
selected web sites to bypass privoxy. This covers the problem of web pages
including FTP content just to get your IP address."

I found really interesting your answer,full of inputs i could use to make my own experiments.I never heard firefox could do its own caching and what to use squid and privoxy together for?1 for caching (squid) and 1 for content filtering?I would like to get as much anonymous is possible,is the use of both usefull for this,and tor!I am getting a bit confused now.Woul be possible to use privoxy for caching ,too and uninstall squid?It's to me a bit confusing squid,tor,prixoxy together.

"Privoxy can be configured to just filter the headers and not the
content. It should also run faster since it won't need to buffer web pages for filtering."
Where in the config file i make privoxy just filter headers?
Last question.
I once configured ddclient to update my pubblic address at http://whatismyip.org/ that i was using also to check if anonymization was richen,then for some reason didn't work anymore so now i do that through dyndns.If whatismyip reports the address given by tor and ddclient in its updating thing through whatismyip.org it's going to report a false ip for my site too and this is going to be also in the dns!And making a nslookup of my website will give a false resaults,right?i just want to desappear ... being traced only by http.i mean!
Thank you for the patience sorry for my errors in english writing and i will wait your answer,ciao!
G!
It is not a promotion it is just an event my url: http://hardcode.ath.cx/

Last edited by gabsik; 12-22-2005 at 08:52 AM.
 
Old 12-22-2005, 06:12 PM   #6
DaveG
Member
 
Registered: Nov 2001
Location: London, UK
Distribution: Fedora 16
Posts: 160

Rep: Reputation: 41
Your English is more readable than many Linux documents!

As I said, I don't use squid, but it can be configured to use an "upstream proxy", just like a browser. That proxy could be one provided by your ISP or "localhost:8118" - privoxy. I don't know the details of how to do it, but it should be in the documentation.

Privoxy does not provide a cache, only privacy. It uses a number of configuration files, by default under /etc/privoxy: "config" defines how the service operates, "default.action" defines standard URL processing, "standard.action" determins how aggressive privoxy will be, "user.action" holds your own preferences and is the only file you should edit, "default.filter" holds search and replace strings for content filtering.

To stop privoxy scaning and/or replacing content, just define a class that disables all filters (-filter(...)), applicable to a wildcard ("*") URL. Define this in "user.actions" as the other files get overwritten during a software update. A "back door" is to set the "buffer-limit" option to zero. With no buffer, privoxy is prevented from doing any content filtering.

I use dyndsn.org so I can access my home site on the road. I don't know how this would work with TOR. I would assume that TOR provides some kind of "place holder" IP address and you would need to keep DynDNS updated if and when tht changes, just as with a DHCP connection. TOR would need to provide that information to you in some, secure way, possibly via SOCKS.

I'd reccommend getting privoxy configured properly first, then run it through TOR, then squid - stand-alone, then integrate the two. Then look at browser proxy (automatic) configuation and firewalling. External access could be handled in parallel.

There is only so much you can do to "disappear" from the Internet - packets must get back to the source and ICMP needs a route to work properly. The Internet was designed to operate under "external" threats rather than to avoid monitoring.

I reccommend you take a look at Ross Anderson's (Cambridge University, UK) security home page at http://www.cl.cam.ac.uk/users/rja14/ for background ideas. There is a lot of information, much of it is theory such as "how to run a completely illegal drugs auction on-line" (http://www.cl.cam.ac.uk/~rja14/cocaine.pdf). This "thought experiment" covers security and annonimity under the threat of prosecution i.e. real-world software.
 
Old 12-24-2005, 10:13 AM   #7
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Original Poster
Rep: Reputation: 30
Red face Lan gateway with tor and privoxy

I'm using privoxy with no content filtering just anonymizing my lan's browsers to be honest just 1 client per time, ...??? i have missed this ... !To configure squid for web caching i run it on what port ?? How do i configure privoxy to use squid ?Big questions still,i 'm far from understanding privoxy filosofy configuration file ,inetresting the bit related to the content manipolation,microsoft=microsuck,it's not clear the way for doing it ! ... ok i stop now,i leave you with this link i want you to visit,it's about desappear from the internet ... http://netsukuku.freaknet.org/?p=Home let me know your opinion:i'm so scared about the way internet is going , projects like longhorn scares me,so i want to be prepared to face this wibe of interests and privacy is a top problem ,look also http://freshmeat.net/projects/ksb26/ is a kernel module.ciao!

Last edited by gabsik; 12-24-2005 at 10:16 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Tor & Privoxy - how to get it to work? EvilBill Ubuntu 1 12-05-2005 08:51 PM
tor and privoxy not working, yet all configs seem right theCSapprentice Linux - Software 6 11-02-2005 11:37 AM
machine has adsl ethernet modem, to make it gateway over lan do i need more lan cards b0nd Linux - Networking 2 10-04-2005 10:19 PM
Privoxy and tor z3nith Linux - Software 2 10-01-2005 09:31 PM
Tor & Privoxy esage Linux - Software 3 07-25-2005 10:35 PM


All times are GMT -5. The time now is 09:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration