LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-12-2007, 04:31 PM   #1
jahvascriptmaniac
Member
 
Registered: Aug 2006
Posts: 34

Rep: Reputation: 15
Using a proxy for ALL connections [SOLVED]


Hi, i recently installed JAP, a nice proxy for anonymous surfing.
I configured Firefox and a few other programs to use it, but i would like my entire system to go through it.

This means that ALL connections, even a simple "ping google.fr" in a console, should go through it, and direct access to the Internet should be prohibited.
I suppose it can be done with iptables or something like it, but I really don't know what to look for. I googlized for "linux forwarding", "linux global proxy" and others, but none is what I want.

I suppose it would mean having my computer using that proxy just like it would have to go through a computer to get out of a LAN, but as the proxy is created by the JAP program, which runs on my computer, and allows me to connect to 127.0.0.1:4001, I don't really know what to do.

Ok ok ok, all this isn't that clear, so here it is :

1) Firefox / ping command / any other net app
|
v
2) 127.0.0.1:4001 (Loopback firewall opened by JAP)
|
v
3) JAP (on my computer)
|
v
4) 192.168.0.1 (my ASDL box, reached through DHCP)
|
v
5) Proxies chosen by JAP
|
v
6) Web.

Steps 1, 2 and 3 are on my computer.

It would be easy to do if I had two computers :
I would have my net apps connecting to the 2nd computer, where they would be forwarded by JAP, but here I have only one, so JAP must connect to the web via 192.168.0.1, and other apps must connect via 127.0.0.1:4001

Hoping I was clear enough , could someone please tell me what I should do ?

Last edited by jahvascriptmaniac; 02-13-2007 at 07:55 AM.
 
Old 02-12-2007, 04:38 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
From reading the JAP project site, it appears to only proxy HTTP traffic, not tunnel any arbitrary IP-based traffic. If that is true, then you cannot proxy the traffic used by ping, and most other programs. It appears to only apply to web browsers.

Last edited by chort; 02-12-2007 at 05:28 PM.
 
Old 02-12-2007, 04:48 PM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
jap is an http proxy, it works at the http protocol level. as such if you don't talk http to it, it can't do the business. it's certainly possible to proxy any (well i assume any...) form of network traffic, but i don't think you really understand what that kind of proxying actually means. you can look at tcp proxies like tcpproxy (inspired name huh?) or aproxy but unless you have a real need to use it i'm at a bit of a loss to see what you're going to benefit from trying to do this. again, proxying pings would require an icmp proxy, not a tcp or udp proxy. if you are using a tcp proxy then you need to control the proxying at the tcp (Layer 4) level. this means not reading any of the higher level data like http headers. http proxies work through one tcp port because they can inspect the data and take a destination out of the payload's "HOST" header, i.e. www.google.com, regardless of what the tcp/ip data says about a packets destination. if you proxy at tcp level then all you have is ipaddrort to go on, no more context, and if you somehow were to point all tcp traffic at that proxy, then every ipaddr:ip in the tcp destination fields would be the same, and there is no more information to distinguish it, so you can't do squit with it.

i really think what you actually want is a firewall with outbound rules...

//ooh was my reply better than chorts? bet it's not... just longer... that would be a first though.
 
Old 02-12-2007, 05:04 PM   #4
jahvascriptmaniac
Member
 
Registered: Aug 2006
Posts: 34

Original Poster
Rep: Reputation: 15
Ok thanx, I understood now. But if I can't do this with JAP, I suppose it can be done with another proxy that supports other things than http, eg. ftp and bittorrent.
But as you said that "you need to control the proxying at the tcp (Layer 4)", I can smell a "kernel recompiling" behind this, and that's a thing I can't hear of since I spent 10 or 20 hours trying (without results) to re-compile my kernel ages ago ^^

Well thanks for the info, I think I'll do without
Just to be sure, however, you must use a NAT or similar if you want to redirect all trafic from a computer to another ? I'm not sure if I understood that well...
 
Old 02-12-2007, 05:12 PM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
you don't have to use nat, but only certain network topologies make sense in that situation. if you have a tcp connection being proxied, then that tcp session is between the proxy and the server. if the proxy is on the route between the client and the server, then if the ip addres is not natted, then that packet will return back to the proxy and be picked up just fine. if you have, for example, the proxy and the client both on the same side of a single router, then that ip packet reenters that subnet with the client ip address, and so will go to the client, not find a matching session to hook back on to, and be dropped. if you don't change the port numbers in the proxy, you may get away with it, not totally sure, but it's not really something that serves a home user any benefit. where i work we do have a load balancing tcp proxy at the core of our network, but that cost us £40k a box...
http://www.f5networks.com/products/bigip/ltm/6400.html

but if you do want to play, then you shouldn't need to recomile kernels at all. it's not weird stuff really, just low level.
 
Old 02-12-2007, 05:42 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
NAT is different from "proxying". "Proxy" is short for "application proxy", and when you view it in that sense it's intuitive that it only applies to certain application protocols and not all network traffic in general. A proxy usually doesn't use network routing, and instead relies on the application being "aware" that it's being proxied. The application needs to know where to send it's requests instead of sending them directly to the destination. The proxy handles the rest.

NAT and redirection are network-level operations and apply to all traffic of a particular networking protocol, such as IP.

Redirecting traffic at a network level requires modifying the kernel some how (there are userland utilities to do this, such as iptables). Redirecting application traffic requires modifying the application. If the application doesn't have proxy support built-in, you would have to recompile it, or use a "shim" that intercepts the traffic and sends it to a proxy. All modern web browsers and many FTP clients have support for proxies built-in. Outside of those, support for proxying is pretty limited.

In some cases it is possible to redirect application traffic (using network redirection) into a "shim" that is proxy-aware and will proxy the traffic (invisibly) on behalf of the user. Squid is an example of a proxy that can do this (when combined with network redirection rules) this means that the application you're using doesn't have to be built with proxy support, but it doesn't work for all that many protocols. Off the top of my head I think it supports HTTP, FTP, and e-mail (SMTP/POP3/IMAP4). Not sure about any others. Squid isn't an "anonymizing" proxy, though.

If you're looking for real anonymous Internet usage, I think you're steering into the territory of TOR, although I believe TOR only works for TCP protocols. I don't think it can anonymize UDP traffic (like DNS, oops).
 
Old 02-12-2007, 09:04 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I don't think it can anonymize UDP traffic (like DNS, oops).
As long as the app is properly SOCKS capable or can be socksified it will resolve on the Other Side.
 
Old 02-13-2007, 07:55 AM   #8
jahvascriptmaniac
Member
 
Registered: Aug 2006
Posts: 34

Original Poster
Rep: Reputation: 15
Ok, thanx !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Max RHN Proxy/Satellite Server Connections agman Linux - Enterprise 1 02-02-2007 08:24 AM
proxy server that is refusing connections manolakis Linux - General 6 01-25-2007 11:47 AM
3 DSL Connections & 1 Proxy Server shahzad_anwar Linux - Security 2 06-14-2006 01:45 PM
using Proxy in Suse 9.3 (for all connections) dr_s99 Linux - Networking 1 12-25-2005 05:17 PM
squid proxy connections not going through Moebius Linux - Networking 1 11-13-2005 10:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration