[SOLVED] Tunnel all traffic

speigel205 · 01-22-2012, 06:53 AM

Hello to everybody

It an old issue I know and I know also that there is tons of solutions to that on linux systems. But I don't find a single webpage that explains what to do to resolve it because I am newbie.

I have a socks proxy running on localhost or the following ip "a.b.c.d", this proxy is running on port number "P". I would like to tunnel all TCP and UDP as well "if possible" through this proxy.

The proxy didn't require any username or password to use it, and for more info my username is supposed to be "USER" and my hostname is "MACHINE".

I have seem people using proxychain but as I seed, I want all the machine traffic passes through the socks proxy and it is irritating tipping proxychain for each application I want to run, so I am seeking mush more comfortable way to do that.

Thank you

extremejava · 01-22-2012, 10:37 AM

Have you tried searching on Google

speigel205 · 01-22-2012, 03:40 PM

I have searched but I am not able to understand what to do exactly some are using special software and others ssh but I want to clear that the "USER" and "MACHINE" I mention above are not the proxy username and password because it didn't require it at all but those are the username hostname of my linux box that appear in my console when I run it as USER@MACHINE.

unSpawn · 01-22-2012, 07:09 PM

Quote:

Originally Posted by speigel205

I have a socks proxy running on localhost or the following ip "a.b.c.d", this proxy is running on port number "P". I would like to tunnel all TCP and UDP as well "if possible" through this proxy.

See the example iptables rules in Transparently Routing Traffic Through Tor.

Quote:

Originally Posted by speigel205

I have seem people using proxychain but as I seed, I want all the machine traffic passes through the socks proxy and it is irritating tipping proxychain for each application I want to run

If you're seeding torrents (if that's what you mean with "seeding") there's a few things you could do. First of all run your torrent application from an unprivileged user account as this makes it easier to confine configuration and traffic. In your Desktop Environment (if you run any) set the SOCKS proxy variables and in your shell set the socks_proxy and SOCKS_PROXY (yes both as some applications don't adhere to or parse upper case variable names) to ensure traffic hits the proxy. Configure all network-capable applications and configure their SOCKS proxy settings. Special care needs to be taken with applications that don't understand SOCKS proxies as their traffic needs to be routed through Polipo (HTTP), proxychains, tsocks, socksify or whatever else you chose to use. To avoid having to call the proxy application manually some libraries can be preloaded. Search their documentation for any lines with "LD_PRELOAD" to find out if they support that. Create shortcuts and aliases that prefix the command to run. Use the above iptables rules and set the "-m owner --uid-owner" to the name of the unprivileged user and don't forget to create a "-j LOG" rule right before the "-j DROP" rule to catch traffic leaks. Be aware only SOCKS5 proxies support UDP, AFAIK proxychains does not. Finally note Bittorrent generates about one per cent TCP (tracker connections) and ninety nine per cent UDP so routing huge amounts of UDP traffic over slow networks will kill performance.

speigel205 · 01-23-2012, 09:51 AM

Hey their, thank you for your post. Sorry for my bad english I mean "I have seen people using proxychain but as I said". I am not using Tor for that, I can create a socks proxy on localhost port 5678 for example, to use it for example in firefox I go to its settings and in Manual Proxy Configuration I set Socks Host to localhost and port to 5678 and then choose between socks v4 or v5. After that I can navigate normally. But If I can tunnel all traffic into this socks on localhost:5678 it would be better. In ubuntu for example there is a GUI for network proxy so I have an option to apply system wide but it affects only the known protocols which are http, https and ftp but didn't affects others that is why I need an application to redirect all the traffic through localhost:5678.

unSpawn · 01-24-2012, 09:26 AM

Quote:

Originally Posted by speigel205

I am not using Tor

You're not reading what I said. I said "See the example iptables rules".

Quote:

Originally Posted by speigel205

If I can tunnel all traffic into this socks on localhost:5678 it would be better. In ubuntu for example there is a GUI for network proxy so I have an option to apply system wide but it affects only the known protocols which are http, https and ftp but didn't affects others that is why I need an application to redirect all the traffic through localhost:5678.

So exactly which traffic passes (as in "-j LOG") the firewall rules and measures I wrote about?

speigel205 · 01-24-2012, 11:42 AM

I will try the iptables and see what will happens but just if those commands will not break my system if I fail to get it to work i have read that iptables didn't remain and return to its default after reboot, so i will probably try that and see what will happen.

Code:

iptables -t nat -A OUTPUT ! -o lo -p tcp -m owner --uid-owner anonymous -m tcp -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT ! -o lo -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonymous -j DROP

any idea how to addapt that script for my case ? especially the udp port what to put instead ?

regards

unSpawn · 01-24-2012, 12:27 PM

Quote:

Originally Posted by speigel205

I will try the iptables and see what will happens but just if those commands will not break my system

Understanding it probably helps: http://www.frozentux.net/documents/iptables-tutorial/

Quote:

Originally Posted by speigel205

if I fail to get it to work i have read that iptables didn't remain and return to its default after reboot, so i will probably try that and see what will happen.

As long as you or the firewall init script doesn't save the rules on reboot.

Quote:

Originally Posted by speigel205

any idea how to addapt that script for my case ? especially the udp port what to put instead ?

Code:

# Redirect TCP for user USER to port P:
iptables -t nat -A OUTPUT ! -o lo -p tcp -m owner --uid-owner USER -m tcp -j REDIRECT --to-ports P
# Redirect UDP, asserting user USER has access to a SOCKS5 proxy:
iptables -t nat -A OUTPUT ! -o lo -p udp -m owner --uid-owner USER -m tcp -j REDIRECT --to-ports P
# Log whatever else tries to escape:
iptables -t nat -A OUTPUT ! -o lo -j LOG --log-prefix "NAT-not-P "
# Ensure nothing else gets redirected:
iptables -t nat -A OUTPUT ! -o lo -j DROP
# Allow TCP:
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner USER -m tcp --dport P -j ACCEPT
# Allow UDP:
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner USER -m udp --dport P -j ACCEPT
# Log everything:
iptables -t filter -A OUTPUT ! -o lo -j LOG --log-prefix "OUTPUT-not-P "
# ...and drop it:
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner USER -j DROP

speigel205 · 01-24-2012, 02:52 PM

Thank you very mush for your kind help, thread marked as solved.

speigel205 · 01-25-2012, 03:59 PM

Back again, I want to test for a transparent proxy "if possible of course" or a random socks one so if the ip is a.b.c.d then what is the appropriate command ? the socks 4 didn't support udp so I may try a socks 5 instead.

metzenx · 06-08-2014, 11:22 AM

Hi, I'm using a http proxy with authentication. How would the iptables commands work out for me?