Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It an old issue I know and I know also that there is tons of solutions to that on linux systems. But I don't find a single webpage that explains what to do to resolve it because I am newbie.
I have a socks proxy running on localhost or the following ip "a.b.c.d", this proxy is running on port number "P". I would like to tunnel all TCP and UDP as well "if possible" through this proxy.
The proxy didn't require any username or password to use it, and for more info my username is supposed to be "USER" and my hostname is "MACHINE".
I have seem people using proxychain but as I seed, I want all the machine traffic passes through the socks proxy and it is irritating tipping proxychain for each application I want to run, so I am seeking mush more comfortable way to do that.
Thank you
Click here to see the post LQ members have rated as the most helpful post in this thread.
I have searched but I am not able to understand what to do exactly some are using special software and others ssh but I want to clear that the "USER" and "MACHINE" I mention above are not the proxy username and password because it didn't require it at all but those are the username hostname of my linux box that appear in my console when I run it as USER@MACHINE.
I have a socks proxy running on localhost or the following ip "a.b.c.d", this proxy is running on port number "P". I would like to tunnel all TCP and UDP as well "if possible" through this proxy.
I have seem people using proxychain but as I seed, I want all the machine traffic passes through the socks proxy and it is irritating tipping proxychain for each application I want to run
If you're seeding torrents (if that's what you mean with "seeding") there's a few things you could do. First of all run your torrent application from an unprivileged user account as this makes it easier to confine configuration and traffic. In your Desktop Environment (if you run any) set the SOCKS proxy variables and in your shell set the socks_proxy and SOCKS_PROXY (yes both as some applications don't adhere to or parse upper case variable names) to ensure traffic hits the proxy. Configure all network-capable applications and configure their SOCKS proxy settings. Special care needs to be taken with applications that don't understand SOCKS proxies as their traffic needs to be routed through Polipo (HTTP), proxychains, tsocks, socksify or whatever else you chose to use. To avoid having to call the proxy application manually some libraries can be preloaded. Search their documentation for any lines with "LD_PRELOAD" to find out if they support that. Create shortcuts and aliases that prefix the command to run. Use the above iptables rules and set the "-m owner --uid-owner" to the name of the unprivileged user and don't forget to create a "-j LOG" rule right before the "-j DROP" rule to catch traffic leaks. Be aware only SOCKS5 proxies support UDP, AFAIK proxychains does not. Finally note Bittorrent generates about one per cent TCP (tracker connections) and ninety nine per cent UDP so routing huge amounts of UDP traffic over slow networks will kill performance.
Hey their, thank you for your post. Sorry for my bad english I mean "I have seen people using proxychain but as I said". I am not using Tor for that, I can create a socks proxy on localhost port 5678 for example, to use it for example in firefox I go to its settings and in Manual Proxy Configuration I set Socks Host to localhost and port to 5678 and then choose between socks v4 or v5. After that I can navigate normally. But If I can tunnel all traffic into this socks on localhost:5678 it would be better. In ubuntu for example there is a GUI for network proxy so I have an option to apply system wide but it affects only the known protocols which are http, https and ftp but didn't affects others that is why I need an application to redirect all the traffic through localhost:5678.
You're not reading what I said. I said "See theexampleiptables rules".
Quote:
Originally Posted by speigel205
If I can tunnel all traffic into this socks on localhost:5678 it would be better. In ubuntu for example there is a GUI for network proxy so I have an option to apply system wide but it affects only the known protocols which are http, https and ftp but didn't affects others that is why I need an application to redirect all the traffic through localhost:5678.
So exactly which traffic passes (as in "-j LOG") the firewall rules and measures I wrote about?
I will try the iptables and see what will happens but just if those commands will not break my system if I fail to get it to work i have read that iptables didn't remain and return to its default after reboot, so i will probably try that and see what will happen.
Code:
iptables -t nat -A OUTPUT ! -o lo -p tcp -m owner --uid-owner anonymous -m tcp -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT ! -o lo -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonymous -j DROP
any idea how to addapt that script for my case ? especially the udp port what to put instead ?
if I fail to get it to work i have read that iptables didn't remain and return to its default after reboot, so i will probably try that and see what will happen.
As long as you or the firewall init script doesn't save the rules on reboot.
Quote:
Originally Posted by speigel205
any idea how to addapt that script for my case ? especially the udp port what to put instead ?
Code:
# Redirect TCP for user USER to port P:
iptables -t nat -A OUTPUT ! -o lo -p tcp -m owner --uid-owner USER -m tcp -j REDIRECT --to-ports P
# Redirect UDP, asserting user USER has access to a SOCKS5 proxy:
iptables -t nat -A OUTPUT ! -o lo -p udp -m owner --uid-owner USER -m tcp -j REDIRECT --to-ports P
# Log whatever else tries to escape:
iptables -t nat -A OUTPUT ! -o lo -j LOG --log-prefix "NAT-not-P "
# Ensure nothing else gets redirected:
iptables -t nat -A OUTPUT ! -o lo -j DROP
# Allow TCP:
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner USER -m tcp --dport P -j ACCEPT
# Allow UDP:
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner USER -m udp --dport P -j ACCEPT
# Log everything:
iptables -t filter -A OUTPUT ! -o lo -j LOG --log-prefix "OUTPUT-not-P "
# ...and drop it:
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner USER -j DROP
Back again, I want to test for a transparent proxy "if possible of course" or a random socks one so if the ip is a.b.c.d then what is the appropriate command ? the socks 4 didn't support udp so I may try a socks 5 instead.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.