Escape proxy hell with Redsocks

In this post we will install and configure Redsocks to have transparent proxying.
This was executed on a Raspberry Pi running Jessie and on a Redhat 7.

The same applies modulo the yum/apt-get calls.

In the below we will be redirecting all traffic to myproxy.domain.com:3128. Feel free to replace it with your proxy dns name or ip adress and the correct port.

Install redsocks

apt-get install redsocks

Configure redsocks

Edit /etc/redsocks.conf

base {
    log_debug = off;
    log_info = off;
    log = "file:/var/log/redsocks";
    daemon = on;
    redirector = iptables;
}

redsocks {
    local_ip = 0.0.0.0;
    local_port = 12345;

    ip = myproxy.domain.com;
    port = 3128;

    type = http-relay;
}

redsocks {
        local_ip = 0.0.0.0;
        local_port = 12346;

        ip = myproxy.domain.com;
        port = 3128;
        type = http-connect;
}

Setup the iptable:

We will do a set of commands which need sudo rights. Start off with a sudo shell:

sudo bash

then issue the below commands to create a nat rule to forward all non:

iptables -t nat -N REDSOCKS
iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN

iptables -t nat -A REDSOCKS -p tcp --dport 80 -j REDIRECT --to-ports 12346
iptables -t nat -A REDSOCKS -p tcp --dport 443 -j REDIRECT --to-ports 12346
iptables -t nat -A REDSOCKS -p tcp --dport 11371 -j REDIRECT --to-ports 12345

iptables -t nat -A OUTPUT -p tcp -j REDSOCKS

iptables -t nat -A PREROUTING -p tcp --dport 11371 -j REDSOCKS
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDSOCKS
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDSOCKS

It should be working at this level. Let's give it a round of tests.

Test internal and external access
External access
wget www.google.com
Internal access

Try to get an internal page on your network

wget mywebserver

Persist the Iptable rules

If you restart your machine at this level, you'll notice that the iptable rules we've setup aren't persisted. To persist them on Debian/Ubuntu install iptables-persistent and follow it's prompt:

apt-get install iptables-persistent

For Redhat, a simple method to permanently save iptables rules for IPv4 and IPv6. is:

chkconfig iptables on
service iptables save

You can always save and restore like so (handle ip4 and ip6):

iptables-save > /etc/sysconfig/iptables
ip6tables-save > /etc/sysconfig/ip6tables

iptables-restore < /etc/sysconfig/iptables
ip6tables-restore < /etc/sysconfig/ip6tables

That's all for this post!

Comments

comments powered by Disqus