Transparent Proxy Week 1 Report

The problem was that at some point server was not responding and internet was down, so you needed to restart redsocks manually. As it seems when number of open connections exceeds 2000 server cannot open any more web pages, so internet was unavailable. This problem was solved by firstly raising the file limit and then starting redsocks. Here is the code:

#!/bin/sh

# raising file limits

echo "Raising the file limit."

ulimit -Hn 32768

ulimit -Sn 32768

echo Filelimit set to $(ulimit -n).

echo killing redsocks, flushing firewall

pkill redsocks

sleep 2

/usr/local/sbin/iptables-clear

sleep 2

echo Starting redsocks =========

redsocks -c /usr/local/etc/redsocks-nu.conf

sleep 10

echo Setting up firewall ======

# Where to find iptables

IPTABLES="/sbin/iptables"

# Port that is redsocks listening on

REDSOCKS_PORT="12345"

## Location of our not local proxy-server

EXTERNAL_PROXY_HOST="192.168.20.254"

EXTERNAL_PROXY_PORT="3128"

# clean up

$IPTABLES -t nat -D PREROUTING -p tcp -j REDSOCKS_FILTER

$IPTABLES -t nat -D OUTPUT -p tcp -j REDSOCKS_FILTER

$IPTABLES -t nat -F REDSOCKS_FILTER

$IPTABLES -t nat -X REDSOCKS_FILTER

$IPTABLES -t nat -F REDSOCKS

$IPTABLES -t nat -X REDSOCKS

# Create our own chain

$IPTABLES -t nat -N REDSOCKS

$IPTABLES -t nat -N REDSOCKS_FILTER

# Do not try to redirect local traffic

$IPTABLES -t nat -I REDSOCKS_FILTER -o lo -j RETURN

## Do not redirect LAN traffic and some other reserved addresses. (blacklist option)

$IPTABLES -t nat -A REDSOCKS_FILTER -d [10.1.1.50/32](http://10.1.1.50/32) -j RETURN # wins server

$IPTABLES -t nat -A REDSOCKS_FILTER -d [10.1.1.51/32](http://10.1.1.51/32) -j RETURN # wins server

$IPTABLES -t nat -A REDSOCKS_FILTER -d [10.1.1.52/32](http://10.1.1.52/32) -j RETURN # wins server

$IPTABLES -t nat -A REDSOCKS_FILTER -d [10.1.70.0/23](http://10.1.70.0/23) -j RETURN # block 7

$IPTABLES -t nat -A REDSOCKS_FILTER -d [10.1.1.10/32](http://10.1.1.10/32) -j RETURN # only server

$IPTABLES -t nat -A REDSOCKS_FILTER -d [127.0.0.0/8](http://127.0.0.0/8) -j RETURN

$IPTABLES -t nat -A REDSOCKS_FILTER -d [169.254.0.0/16](http://169.254.0.0/16) -j RETURN

$IPTABLES -t nat -A REDSOCKS_FILTER -d [172.16.0.0/12](http://172.16.0.0/12) -j RETURN

### enable next line to also have transparent socks in your local network

$IPTABLES -t nat -A REDSOCKS_FILTER -d [192.168.0.0/16](http://192.168.0.0/16) -j RETURN

$IPTABLES -t nat -A REDSOCKS_FILTER -j REDSOCKS # necessary

## Do not redirect traffic for the SOCKS-Server

## Not needed if server is not on a whitelist or is already blacklisted.

$IPTABLES -t nat -I REDSOCKS -p tcp -d $EXTERNAL_PROXY_HOST --dport $EXTERNAL_PROXY_PORT -j RETURN

# Redirect all traffic that gets to the end of our chain

$IPTABLES -t nat -A REDSOCKS -p tcp -j REDIRECT --to-port $REDSOCKS_PORT

## Filter all traffic from the own host

$IPTABLES -t nat -A OUTPUT -p tcp -j REDSOCKS_FILTER

## Filter all traffic that is routed over this host

$IPTABLES -t nat -A PREROUTING -p tcp -j REDSOCKS_FILTER

echo IPtables reconfigured.

echo Starting dns server and masquerading.

sleep 1

/usr/local/sbin/masq_server

Things to do:

  • Create virtual machines (server, client)

  • Test Squid on this machines

Comments