Transparent system-wide proxy

Proxies can be a powerful way to enforce anonymity or to bypass various kinds of restrictions on Internet (government censorship, regional contents, …). In this post, I’ll describe a simple technique to create a transparent proxy at the system level. It’s especially useful in cases when you want to make sure that all connections make it through the proxy or when your application of interest doesn’t have proxy support. I don’t think this technique is that well-known, hence this post.

1. Create SOCKS proxy with OpenSSH

If you have a user account on a remote machine, the simplest way to create a proxy is to use the following command.

$ ssh -N -D 1080 username@serverhost

It creates a SOCKS proxy listening to port 1080 on your local machine. The main advantage of the SOCKS protocol is that it can route connections from any port between the client and the server.

2. Forward connection transparently with iptables or ipfw

Most modern browsers can let the user define a SOCKS proxy in their advanced networking preference section. Yet, many applications may not support the SOCKS protocol at all. The solution is to use system tools such as iptables (Linux) or ipfw (FreeBSD, OS X) to enforce the routing at the system level. For example, on OS X, I use the following command to redirect port 80 (HTTP).

$ sudo ipfw add 100 fwd 127.0.0.1,12345 dst-port 80

3. Redirect connections to SOCKS proxy with redsocks

iptables and ipfw don’t have built-in support for the SOCKS protocol. It is thus necessary to use an additional program to transform the connections on the fly. This is where redsocks comes in.

$ redsocks -c config_file

In the configuration file, you need to configure redsocks to listen to port 12345 and to redirect to port 1080. “generic” can be used as the redirector option. The github repository includes a sample configuration file.

And voila! We now have configured the system to transparently route connections for us. To summarize, here is the big picture:

local machine -> redsocks -> SOCKS proxy -> target server

5 Responses to “Transparent system-wide proxy”

  1. anonymous Says:

    iptables example, please

  2. Mathieu Says:

    There is an example here https://github.com/darkk/redsocks (scroll to the bottom). You can append “–dport 80″ if you want to specify port 80 only.

  3. Danilo Cesar Says:

    You can also use $tsocks application_name

    It overwrites LD_PRELOAD var to force C’s connect calls to go through your SOCKS proxy.

    It’s not that elegant as defining some ipables rules for it, but it’s simpler and allows you to define which application should be using the proxy or not.

  4. Mathieu Says:

    Good to know that there are alternative solutions.

    The solution I describe seems to be more robust if you want to be sure that all outgoing traffic makes it through the proxy or in case the software cannot be trusted (proprietary).

  5. Lucy Says:

    I will tell you something: why don’t make a Windows software (GNU Freeware) that does exactly this function. You Linux geeks are genius, but helping people it’s more than type some kind of linux “command”. There are Windows people that need this too. We Windows users need help too. Yeah, I’m newbie, Linux may be great, but there are too many complex “command line” instructions to me (I know the graphical interface is as easy as Windows), but get complex things working in Linux is a pain. In Windows someone program an application, and it’s done. I know I may sound lazy, but not everyone is a genius. This is only an example. There are a lot of functions in Windows that need an application to get it work. For example, I was looking for a transparent proxy to VMware o Virtual PC, that works at ethernet level. In linux it may be easy for a genius, but in Windows it’s impossible without an application or a complex configuration. If you know a way to do that in Windows, it will be great!. Thank you…….. :)