Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-12-2007, 04:31 PM
|
#1
|
Member
Registered: Aug 2006
Posts: 34
Rep:
|
Using a proxy for ALL connections [SOLVED]
Hi, i recently installed JAP, a nice proxy for anonymous surfing.
I configured Firefox and a few other programs to use it, but i would like my entire system to go through it.
This means that ALL connections, even a simple "ping google.fr" in a console, should go through it, and direct access to the Internet should be prohibited.
I suppose it can be done with iptables or something like it, but I really don't know what to look for. I googlized for "linux forwarding", "linux global proxy" and others, but none is what I want.
I suppose it would mean having my computer using that proxy just like it would have to go through a computer to get out of a LAN, but as the proxy is created by the JAP program, which runs on my computer, and allows me to connect to 127.0.0.1:4001, I don't really know what to do.
Ok ok ok, all this isn't that clear, so here it is :
1) Firefox / ping command / any other net app
|
v
2) 127.0.0.1:4001 (Loopback firewall opened by JAP)
|
v
3) JAP (on my computer)
|
v
4) 192.168.0.1 (my ASDL box, reached through DHCP)
|
v
5) Proxies chosen by JAP
|
v
6) Web.
Steps 1, 2 and 3 are on my computer.
It would be easy to do if I had two computers :
I would have my net apps connecting to the 2nd computer, where they would be forwarded by JAP, but here I have only one, so JAP must connect to the web via 192.168.0.1, and other apps must connect via 127.0.0.1:4001
Hoping I was clear enough , could someone please tell me what I should do ?
Last edited by jahvascriptmaniac; 02-13-2007 at 07:55 AM.
|
|
|
02-12-2007, 04:38 PM
|
#2
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
From reading the JAP project site, it appears to only proxy HTTP traffic, not tunnel any arbitrary IP-based traffic. If that is true, then you cannot proxy the traffic used by ping, and most other programs. It appears to only apply to web browsers.
Last edited by chort; 02-12-2007 at 05:28 PM.
|
|
|
02-12-2007, 04:48 PM
|
#3
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
jap is an http proxy, it works at the http protocol level. as such if you don't talk http to it, it can't do the business. it's certainly possible to proxy any (well i assume any...) form of network traffic, but i don't think you really understand what that kind of proxying actually means. you can look at tcp proxies like tcpproxy (inspired name huh?) or aproxy but unless you have a real need to use it i'm at a bit of a loss to see what you're going to benefit from trying to do this. again, proxying pings would require an icmp proxy, not a tcp or udp proxy. if you are using a tcp proxy then you need to control the proxying at the tcp (Layer 4) level. this means not reading any of the higher level data like http headers. http proxies work through one tcp port because they can inspect the data and take a destination out of the payload's "HOST" header, i.e. www.google.com, regardless of what the tcp/ip data says about a packets destination. if you proxy at tcp level then all you have is ipaddr ort to go on, no more context, and if you somehow were to point all tcp traffic at that proxy, then every ipaddr:ip in the tcp destination fields would be the same, and there is no more information to distinguish it, so you can't do squit with it.
i really think what you actually want is a firewall with outbound rules...
//ooh was my reply better than chorts? bet it's not... just longer... that would be a first though.
|
|
|
02-12-2007, 05:04 PM
|
#4
|
Member
Registered: Aug 2006
Posts: 34
Original Poster
Rep:
|
Ok thanx, I understood now. But if I can't do this with JAP, I suppose it can be done with another proxy that supports other things than http, eg. ftp and bittorrent.
But as you said that "you need to control the proxying at the tcp (Layer 4)", I can smell a "kernel recompiling" behind this, and that's a thing I can't hear of since I spent 10 or 20 hours trying (without results) to re-compile my kernel ages ago ^^
Well thanks for the info, I think I'll do without
Just to be sure, however, you must use a NAT or similar if you want to redirect all trafic from a computer to another ? I'm not sure if I understood that well...
|
|
|
02-12-2007, 05:12 PM
|
#5
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
you don't have to use nat, but only certain network topologies make sense in that situation. if you have a tcp connection being proxied, then that tcp session is between the proxy and the server. if the proxy is on the route between the client and the server, then if the ip addres is not natted, then that packet will return back to the proxy and be picked up just fine. if you have, for example, the proxy and the client both on the same side of a single router, then that ip packet reenters that subnet with the client ip address, and so will go to the client, not find a matching session to hook back on to, and be dropped. if you don't change the port numbers in the proxy, you may get away with it, not totally sure, but it's not really something that serves a home user any benefit. where i work we do have a load balancing tcp proxy at the core of our network, but that cost us £40k a box...
http://www.f5networks.com/products/bigip/ltm/6400.html
but if you do want to play, then you shouldn't need to recomile kernels at all. it's not weird stuff really, just low level.
|
|
|
02-12-2007, 05:42 PM
|
#6
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
NAT is different from "proxying". "Proxy" is short for "application proxy", and when you view it in that sense it's intuitive that it only applies to certain application protocols and not all network traffic in general. A proxy usually doesn't use network routing, and instead relies on the application being "aware" that it's being proxied. The application needs to know where to send it's requests instead of sending them directly to the destination. The proxy handles the rest.
NAT and redirection are network-level operations and apply to all traffic of a particular networking protocol, such as IP.
Redirecting traffic at a network level requires modifying the kernel some how (there are userland utilities to do this, such as iptables). Redirecting application traffic requires modifying the application. If the application doesn't have proxy support built-in, you would have to recompile it, or use a "shim" that intercepts the traffic and sends it to a proxy. All modern web browsers and many FTP clients have support for proxies built-in. Outside of those, support for proxying is pretty limited.
In some cases it is possible to redirect application traffic (using network redirection) into a "shim" that is proxy-aware and will proxy the traffic (invisibly) on behalf of the user. Squid is an example of a proxy that can do this (when combined with network redirection rules) this means that the application you're using doesn't have to be built with proxy support, but it doesn't work for all that many protocols. Off the top of my head I think it supports HTTP, FTP, and e-mail (SMTP/POP3/IMAP4). Not sure about any others. Squid isn't an "anonymizing" proxy, though.
If you're looking for real anonymous Internet usage, I think you're steering into the territory of TOR, although I believe TOR only works for TCP protocols. I don't think it can anonymize UDP traffic (like DNS, oops).
|
|
|
02-12-2007, 09:04 PM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
I don't think it can anonymize UDP traffic (like DNS, oops).
As long as the app is properly SOCKS capable or can be socksified it will resolve on the Other Side.
|
|
|
02-13-2007, 07:55 AM
|
#8
|
Member
Registered: Aug 2006
Posts: 34
Original Poster
Rep:
|
Ok, thanx !
|
|
|
All times are GMT -5. The time now is 08:27 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|