Active Topics
-
[Announce] genwall a simple iptables firewall (90)
to Applications by paoletto - 1 day ago -
N9 as WiFi repeater/extender? (1)
to Nokia N9 / N950 by paoletto - 1 day ago -
Sailfish OS flashing files (89)
to SailfishOS by monkeyisland - 2 days, 1 hr ago - more...
| The Following 5 Users Say Thank You to gexc For This Useful Post: | ||
|
|
2014-02-16
, 14:07
|
|
Guest |
Posts: n/a |
Thanked: 0 times |
Joined on
|
#2
|
thanks, I will try this trick with my tor package 
|
2014-04-07
, 14:50
|
|
Posts: 64 |
Thanked: 36 times |
Joined on Feb 2012
@ US
|
#3
|
shadowsocks-libev compiles and works out-of-the-box 
|
|
2014-05-18
, 15:38
|
|
Posts: 1 |
Thanked: 0 times |
Joined on May 2014
@ 拆呐国
|
#5
|
great job
But still feel slightly more power consumption
But still feel slightly more power consumption
|
|
2014-05-18
, 16:13
|
|
Guest |
Posts: n/a |
Thanked: 0 times |
Joined on
|
#6
|
unfortunately the solution that works (tordns with iptables) gives another issue in my experience - it seems Store doesnt like it, I assume its due to tordns not having dns records for Jolla repositories.
So, the proxy/iptables or just having the browser using tor (like my package) seems to be the compromise ATM.
So, the proxy/iptables or just having the browser using tor (like my package) seems to be the compromise ATM.
|
|
2014-05-19
, 02:16
|
|
Posts: 64 |
Thanked: 36 times |
Joined on Feb 2012
@ US
|
#7
|
Originally Posted by nieldk
is it possible to put the ip of releases.jolla.com in /etc/hosts to avoid the dns query altogether ?
unfortunately the solution that works (tordns with iptables) gives another issue in my experience - it seems Store doesnt like it, I assume its due to tordns not having dns records for Jolla repositories.
So, the proxy/iptables or just having the browser using tor (like my package) seems to be the compromise ATM.
Last edited by gexc; 2014-05-19 at 02:33.
|
|
2014-07-03
, 14:47
|
|
Posts: 63 |
Thanked: 37 times |
Joined on Jul 2010
|
#8
|
So I installed nieldk's Tor package from the warhouse store.
According to the package notes it'll setup a proxy for the webbrowser.
Is it possible to make the phone completely transparant by using tordns and iptables? With the ability to switch between 3G and Wifi?
According to the package notes it'll setup a proxy for the webbrowser.
Is it possible to make the phone completely transparant by using tordns and iptables? With the ability to switch between 3G and Wifi?
|
|
2014-07-03
, 15:32
|
|
Posts: 64 |
Thanked: 36 times |
Joined on Feb 2012
@ US
|
#9
|
Originally Posted by MastaG
redsocks/iptables should work with tor, I haven't tried though.
So I installed nieldk's Tor package from the warhouse store.
According to the package notes it'll setup a proxy for the webbrowser.
Is it possible to make the phone completely transparant by using tordns and iptables? With the ability to switch between 3G and Wifi?
It seems there is no auto-switching. After network switching iptables have to be toggled off and on again manually. Haven't figure out why...
|
|
2014-07-03
, 15:36
|
|
Guest |
Posts: n/a |
Thanked: 0 times |
Joined on
|
#10
|
Originally Posted by gexc
you can make that automatic with some systemd magic, which can reload eg iptables after network switch
redsocks/iptables should work with tor, I haven't tried though.
It seems there is no auto-switching. After network switching iptables have to be toggled off and on again manually. Haven't figure out why...
| The Following User Says Thank You to For This Useful Post: | ||
pdnsd
pdnsd is needed for dealing with dns poisoning
sample config file for pdnsd (/etc/pdnsd.conf):
global { perm_cache=1024; cache_dir="/var/cache/pdnsd"; # pid_file = /var/run/pdnsd.pid; run_as="nobody"; server_ip = 127.0.0.1; # Use eth0 here if you want to allow other server_port = 5353; #Since port 53 is used by connman, pdnsd has to be configured to use another port and the DNS queries will be redirected to it by iptables # machines on your network to query pdnsd. status_ctl = on; paranoid=on; # This option reduces the chance of cache poisoning # but may make pdnsd less efficient, unfortunately. query_method=tcp_only; min_ttl=1h; # Retain cached entries at least 15 minutes. max_ttl=1w; # One week. timeout=10; # Global timeout option (10 seconds). neg_domain_pol=on; udpbufsize=1024; # Upper limit on the size of UDP messages. } # replace this with any dns servers server { label= "google"; ip = 8.8.8.8, 8.8.4.4; # Put your ISP’s DNS-server address(es) here. timeout=4; # Server timeout; this may be much shorter # that the global timeout option. uptest=ping; # Test if the network interface is active. purge_cache=off; # Keep stale cache entries in case the ISP’s # DNS servers go offline. edns_query=no; # Use EDNS for outgoing queries to allow UDP messages # larger than 512 bytes. May cause trouble with some # legacy systems. } source { owner=localhost; # serve_aliases=on; file="/etc/hosts"; } rr { name=localhost; reverse=on; a=127.0.0.1; owner=localhost; soa=localhost,root.localhost,42,86400,900,86400,86400; }shadowsocks is a lightweight and secure socks5 proxy. It can replace the ssh tunnel. Also shadowsocks-libev has ss-redir which works as a transparent proxy, so redsocks is not needed.
sample config file for shadowsocks (/home/nemo/.shadowsocks/ss-config.json)
{ "server":"replace_with_your_server", "server_port":replace_with_your_server_port, "local_port":7777, "password":"replace_with_your_password", "timeout":600, "method":"aes-256-cfb" }iptables needs to be set up to redirect the network traffic to our socks proxy. CAUTION: MESSING UP WITH IPTABLES MAY JAM YOUR NETWORK
a dirty script for iptables config (iptables-ss.sh)
iptables-ss.sh start will (re-)start pdnsd and set up iptables rules
iptables-ss.sh stop will do the reverse
iptables-ss.sh stop-ss will kill the shadowsocks process (not really needed)
redsocks
If ssh tunnel is preferred then redsocks is used for creating the transparent proxy.
sample config file (/home/nemo/.redsocks/redsocks.conf)
base { // debug: connection progress & client list on SIGUSR1 log_debug = off; // info: start and end of client session log_info = on; /* possible `log' values are: * stderr * "file:/path/to/file" * syslog:FACILITY facility is any of "daemon", "local0"..."local7" */ log = "file:/home/nemo/.redsocks/redsocks.log"; // log = "file:/path/to/file"; // log = "syslog:local7"; // detach from console daemon = on; /* Change uid, gid and root directory, these options require root * privilegies on startup. * Note, your chroot may requre /etc/localtime if you write log to syslog. * Log is opened before chroot & uid changing. */ // user = nobody; // group = nobody; // chroot = "/var/chroot"; /* possible `redirector' values are: * iptables - for Linux * ipf - for FreeBSD * pf - for OpenBSD * generic - some generic redirector that MAY work */ redirector = iptables; } redsocks { /* `local_ip' defaults to 127.0.0.1 for security reasons, * use 0.0.0.0 if you want to listen on every interface. * `local_*' are used as port to redirect to. */ local_ip = 127.0.0.1; local_port = 12345; // listen() queue length. Default value is SOMAXCONN and it should be // good enough for most of us. // listenq = 128; // SOMAXCONN equals 128 on my Linux box. // `max_accept_backoff` is a delay to retry `accept()` after accept // failure (e.g. due to lack of file descriptors). It's measured in // milliseconds and maximal value is 65535. `min_accept_backoff` is // used as initial backoff value and as a damper for `accept() after // close()` logic. // min_accept_backoff = 100; // max_accept_backoff = 60000; // `ip' and `port' are IP and tcp-port of proxy-server // You can also use hostname instead of IP, only one (random) // address of multihomed host will be used. ip = 127.0.0.1; port = 7777; // the ssh tunneling port // known types: socks4, socks5, http-connect, http-relay type = socks5; } redudp { // `local_ip' should not be 0.0.0.0 as it's also used for outgoing // packets that are sent as replies - and it should be fixed // if we want NAT to work properly. local_ip = 127.0.0.1; local_port = 10053; // `ip' and `port' of socks5 proxy server. ip = 127.0.0.1; port = 7777; // redsocks knows about two options while redirecting UDP packets at // linux: TPROXY and REDIRECT. TPROXY requires more complex routing // configuration and fresh kernel (>= 2.6.37 according to squid // developers[1]) but has hack-free way to get original destination // address, REDIRECT is easier to configure, but requires `dest_ip` and // `dest_port` to be set, limiting packet redirection to single // destination. // [1] http://wiki.squid-cache.org/Features/Tproxy4 dest_ip = 8.8.8.8; dest_port = 53; udp_timeout = 30; udp_timeout_stream = 180; } dnstc { // fake and really dumb DNS server that returns "truncated answer" to // every query via UDP, RFC-compliant resolver should repeat same query // via TCP in this case. local_ip = 127.0.0.1; local_port = 5300; } // you can add more `redsocks' and `redudp' sections if you need.a dirtier iptables script for redsocks
#!/bin/sh IPTABLES="/sbin/iptables" REDSOCKS="/usr/bin/redsocks" REDSOCKSCFG="/home/nemo/.redsocks/redsocks.conf" REDSOCKS_PORT="12345" #local_port in $REDSOCKSCFG PDNSDCFG="/etc/pdnsd.conf" SERVER="your_ssh_server" if [ "$1" = "start" ]; then echo '(Re)starting redsocks...' pkill -U $USER redsocks 2>/dev/null sleep 1 $REDSOCKS -c $REDSOCKSCFG echo '(Re)starting pdnsd' pkill -U $USER pdnsd 2>/dev/null pdnsd -d -mto -c $PDNSDCFG $IPTABLES -t nat -F $IPTABLES -t nat -X $IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353 #redirect dns queries $IPTABLES -t nat -D PREROUTING -p tcp -j REDSOCKS_FILTER 2>/dev/null $IPTABLES -t nat -D OUTPUT -p tcp -j REDSOCKS_FILTER 2>/dev/null $IPTABLES -t nat -F REDSOCKS_FILTER 2>/dev/null $IPTABLES -t nat -X REDSOCKS_FILTER 2>/dev/null $IPTABLES -t nat -F REDSOCKS 2>/dev/null $IPTABLES -t nat -X REDSOCKS 2>/dev/null # Create our own chain $IPTABLES -t nat -N REDSOCKS $IPTABLES -t nat -N REDSOCKS_FILTER # Do not try to redirect local traffic $IPTABLES -t nat -I REDSOCKS_FILTER -o lo -j RETURN # Do not redirect LAN traffic and some other reserved addresses. (blacklist option) $IPTABLES -t nat -A REDSOCKS_FILTER -d 0.0.0.0/8 -j RETURN $IPTABLES -t nat -A REDSOCKS_FILTER -d 10.0.0.0/8 -j RETURN $IPTABLES -t nat -A REDSOCKS_FILTER -d 127.0.0.0/8 -j RETURN $IPTABLES -t nat -A REDSOCKS_FILTER -d 169.254.0.0/16 -j RETURN $IPTABLES -t nat -A REDSOCKS_FILTER -d 172.16.0.0/12 -j RETURN $IPTABLES -t nat -A REDSOCKS_FILTER -d 192.168.0.0/16 -j RETURN $IPTABLES -t nat -A REDSOCKS_FILTER -d 224.0.0.0/4 -j RETURN $IPTABLES -t nat -A REDSOCKS_FILTER -d 240.0.0.0/4 -j RETURN $IPTABLES -t nat -A REDSOCKS_FILTER -d $SERVER -j RETURN $IPTABLES -t nat -A REDSOCKS_FILTER -j REDSOCKS # Redirect all traffic that gets to the end of our chain $IPTABLES -t nat -A REDSOCKS -p tcp -j REDIRECT --to-port $REDSOCKS_PORT ## Filter all traffic from the own host ## BE CAREFULL HERE IF THE SOCKS-SERVER RUNS ON THIS MACHINE $IPTABLES -t nat -A OUTPUT -p tcp -j REDSOCKS_FILTER # Filter all traffic that is routed over this host $IPTABLES -t nat -A PREROUTING -p tcp -j REDSOCKS_FILTER echo IPtables reconfigured. exit 0; elif [ "$1" = "stop" ]; then $IPTABLES -t nat -F $IPTABLES -t nat -X killall redsocks killall pdnsd exit 0; else exit 1; firedsocks.sh start : start redsocks, pdnsd and set up iptables rules
redsocks.sh stop : undo everything
Proxychains
proxychains is a hook preloader that allows to redirect TCP traffic of existing dynamically linked programs through one or more SOCKS or HTTP proxies.
It can be used to launch a single app whose traffic will go through a chains of proxies defined in /etc/proxychains.conf (default is 127.0.0.1:9050 for tor). Domain names are resolved in the proxy side.
Usage example:
issues
No gui (yet)
The network gets jammed after switching from wifi to 3g or vice versa. The iptables scripts need to be restarted after every network switching. Not sure about the cause, maybe the rules are messed up after all...
Last edited by gexc; 2014-08-31 at 17:02.