Transparent system-wide proxy
Proxies can be a powerful way to enforce anonymity or to bypass various kinds of restrictions on Internet (government censorship, regional contents, …). In this post, I’ll describe a simple technique to create a transparent proxy at the system level. It’s especially useful in cases when you want to make sure that all connections make it through the proxy or when your application of interest doesn’t have proxy support. I don’t think this technique is that well-known, hence this post.
1. Create SOCKS proxy with OpenSSH
If you have a user account on a remote machine, the simplest way to create a proxy is to use the following command.
$ ssh -N -D 1080 username@serverhost
It creates a SOCKS proxy listening to port 1080 on your local machine. The main advantage of the SOCKS protocol is that it can route connections from any port between the client and the server.
2. Forward connection transparently with iptables or ipfw
Most modern browsers can let the user define a SOCKS proxy in their advanced networking preference section. Yet, many applications may not support the SOCKS protocol at all. The solution is to use system tools such as iptables (Linux) or ipfw (FreeBSD, OS X) to enforce the routing at the system level. For example, on OS X, I use the following command to redirect port 80 (HTTP).
$ sudo ipfw add 100 fwd 127.0.0.1,12345 dst-port 80
3. Redirect connections to SOCKS proxy with redsocks
iptables and ipfw don’t have built-in support for the SOCKS protocol. It is thus necessary to use an additional program to transform the connections on the fly. This is where redsocks comes in.
$ redsocks -c config_file
In the configuration file, you need to configure redsocks to listen to port 12345 and to redirect to port 1080. “generic” can be used as the redirector option. The github repository includes a sample configuration file.
And voila! We now have configured the system to transparently route connections for us. To summarize, here is the big picture:
local machine -> redsocks -> SOCKS proxy -> target server