tor privoxy squid

gabrix gabrix at gabrix.ath.cx
Mon Nov 20 05:36:24 UTC 2006


gabrix wrote:

> coderman wrote:
>
>> On 11/18/06, gabrix <gabrix at gabrix.ath.cx> wrote:
>>
>>> [my transparent squid proxy isn't working]
>>
>>
>>
>> try the following:
>>
>> squid: make sure these elements are in your squid.conf
>> ---cut---
>> httpd_accel_port 3128
>> httpd_accel_host virtual
>> httpd_accel_with_proxy on
>> httpd_accel_uses_host_header on
>> cache_peer      localhost       parent  8118    7       no-query default
>> header_access Via deny all
>> header_access From deny all
>> forwarded_for off
>> --end-cut---
>>
>> privoxy: note that the cache_peer in squid config refers to SOCKS
>> proxy in privoxy config.
>> ---cut---
>> listen-address  127.0.0.1:8118
>> forward-socks4a         /       127.0.0.1:9050  .
>> --end-cut---
>>
>> tor: note that 9050 is the SOCKS proxy port for Tor.
>>
>> iptables:
>> INTF=eth1 # internal network interface
>> ONTF=eth0 # external default route / public interface
>> ---cut---
>> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
>> $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j 
>> REDIRECT --to 3128
>> ---end-cut---
>>
>> note that you'll want additional firewall / filter rules, and also
>> that DNS leaks may be present.  you will have to transparently proxy
>> DNS via dns-proxy-tor or equivalent to avoid this, and the following
>> filter rules can be used for transparent DNS proxy:
>> ---cut---
>> $IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 53 -j REDIRECT
>> --to 65533
>> --end-cut--
>> where 65533 is where dns-proxy-tor is listening.
>>
> Uahu !I already had this but i love collaboration and thanks!contact 
> me at skype gabx666 or visit the website i'm building at 
> http://tor.gabrix.ath.cx ,please keep in touch ok ?
> What i'm trying to is:
> I have tor+privoxy on each lan machine behind the gateway , now , i 
> want lan http requests to go first locally "torbuttoned" and than 
> ,before togo in internet,beeing proxied again by the gateway 
> squid-tor-privoxy ... am i crazy ?It's fun!
> I have this iptables:
>
>> TOR=9001,9030,9031,9050,9090,9091
>> SQUID_PORT=3128
>
>
>> #$IPT -t nat -I PREROUTING -i $IF1 -p tcp -s 192.168.1.0/24 -m owner 
>> --uid-owner debian-tor --dport 80 -j DNAT --to 192.16$
>> $IPT -t nat -I PREROUTING -i $IF1 -p tcp -s 192.168.1.0/24 -m 
>> multiport --dports $TOR -j REDIRECT --to $SQUID_PORT
>
>
>
> Http requests once they leave my lan machines they don't go to port 80 
> but a tor-socks port so i was trying to get them to go through my 
> squid gateway port one way ( --uid-owner ) or the other.
> GGG!
>
I corrected the iptables , i'm not using torbuttoned clients so direct 
to port , squid has default configuration, "just" added 'cache_peer      
localhost       parent  8118    7       no-query default'  and 
'never_direct allow all'.
 

> $IPT -t nat -I PREROUTING -i $IF1 -p tcp -s 192.168.1.0/24 --dport 80 
> -j REDIRECT --to 3128

>> Squid is doing my head in.
>
>> Is squid httpd accellerator for filtering incoming http requests
> to inside lan's httpd servers ? Might be useless to consider it for 
> clients
> outgoing to the internet ?
>
> SquidLogs:
>
>> 1163999313.198 1 0.0.0.0
> TCP_DENIED/400 1827 GET
> /safebrowsing/update?client=navclient-auto-ffox2.0&mozver=1.8.1-2006101022&version=goog-white-domain:1:17,goog-white-url:1:371,goog-black-url:1:7093,goog-black-enchash:1:13461
> - NONE/- text/html
>
> It looks to me an ACL decision.I have clients netmask to 0.0.0.0 but 
> it's just stdout for log files ... i will keep on trying different 
> solutions ...

http_access allow all ... as start !

> ciao !




More information about the tor-talk mailing list