maemo.org - Talk - Transparent socks proxy (shadowsocks and ssh tunnel)

maemo.org - Talk (https://talk.maemo.org/index.php)

- SailfishOS (https://talk.maemo.org/forumdisplay.php?f=52)

- - Transparent socks proxy (shadowsocks and ssh tunnel) (https://talk.maemo.org/showthread.php?t=92703)

Re: Transparent socks proxy (shadowsocks and ssh tunnel)

ahhh thanks nieldk!
I'll look into this.

Re: Transparent socks proxy (shadowsocks and ssh tunnel)

You will probably need to look at this, to ensure that services are indeed started AFTER network is UP ;)
Yeah, systemd has some issues (Linus is Yelling at the maintainer)
http://www.freedesktop.org/wiki/Soft...NetworkTarget/

Re: Transparent socks proxy (shadowsocks and ssh tunnel)

Thanks nieldk!
I'm a bit new to the Sailfish OS.

So if I understand it correctly:

The dhclient should always set 127.0.0.1 as nameserver (no matter what).

This script:

Code:

#!/bin/sh

#the UID that Tor runs as (varies from system to system)

_tor_uid="0"

#Tor's TransPort

_trans_port="9040"

### flush iptables

iptables -F

iptables -t nat -F

### set iptables *nat

iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN

iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53

#allow clearnet access for hosts: 127.0.0.0/9 127.128.0.0/10

iptables -t nat -A OUTPUT -d 127.0.0.0/9 -j RETURN

iptables -t nat -A OUTPUT -d 127.128.0.0/10 -j RETURN

#redirect all other output to Tor's TransPort

iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port

### set iptables *filter

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow clearnet access for hosts: 127.0.0.0/8

iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT

#allow only Tor output

iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT

iptables -A OUTPUT -j REJECT

#Security fix

iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP

iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP

Should run after Tor daemon has been started and after every network switch (the systemd part).

Then all outgoing traffic (except for localhost) will be routed trough Tor and I'll be able to resolve .onion names.

Also I'll be flagged as an "extremist" by the NSA according to recent news :P

Re: Transparent socks proxy (shadowsocks and ssh tunnel)

Unfortunately I am not familiar with the ProxyCommand option. Maybe someone else here can help you out?

Re: Transparent socks proxy (shadowsocks and ssh tunnel)

Perhaps you need to allow the traffic to the remote proxy, which your local proxy 127.0.0.1:3339 connects to.

Re: Transparent socks proxy (shadowsocks and ssh tunnel)

Quote:

Originally Posted by gexc (Post 1484346)

Perhaps you need to allow the traffic to the remote proxy, which your local proxy 127.0.0.1:3339 connects to.

I believe that is the case. I dont ser iptables allowing traffic to 8.8.8.8. For DNS forward.

Re: Transparent socks proxy (shadowsocks and ssh tunnel)

iptables -t nat -A REDSOCKS -d xxx.xxx.xxx.xxx -j RETURN

replace the xxx's with your remote proxy server

Re: Transparent socks proxy (shadowsocks and ssh tunnel)

Read up on iptables usage :)
For example: http://www.cyberciti.biz/faq/linux-p...with-iptables/

Re: Transparent socks proxy (shadowsocks and ssh tunnel)

My guess, DNS is not setup correctly.
Either in DHCP its not given, or, iptables is blocking DNS requests.

Re: Transparent socks proxy (shadowsocks and ssh tunnel)