Reply
Thread Tools
Posts: 64 | Thanked: 36 times | Joined on Feb 2012 @ US
#1
redsocks, pdnsd, shadowsocks-libev and proxychains are uploaded to openrepos

pdnsd

pdnsd is needed for dealing with dns poisoning
sample config file for pdnsd (/etc/pdnsd.conf):

Code:
global {
        perm_cache=1024;
        cache_dir="/var/cache/pdnsd";
#       pid_file = /var/run/pdnsd.pid;
        run_as="nobody";
        server_ip = 127.0.0.1;  # Use eth0 here if you want to allow other
        server_port = 5353; #Since port 53 is used by connman, pdnsd has to be configured to use another port and the DNS queries will be redirected to it by iptables
                                # machines on your network to query pdnsd.
        status_ctl = on;
        paranoid=on;       # This option reduces the chance of cache poisoning
                           # but may make pdnsd less efficient, unfortunately.
        query_method=tcp_only;
        min_ttl=1h;       # Retain cached entries at least 15 minutes.
        max_ttl=1w;        # One week.
        timeout=10;        # Global timeout option (10 seconds).
        neg_domain_pol=on;
        udpbufsize=1024;   # Upper limit on the size of UDP messages.
}

# replace this with any dns servers
server {
        label= "google";
        ip = 8.8.8.8, 8.8.4.4;  # Put your ISP’s DNS-server address(es) here.
        timeout=4;         # Server timeout; this may be much shorter
                           # that the global timeout option.
        uptest=ping;         # Test if the network interface is active.
        purge_cache=off;   # Keep stale cache entries in case the ISP’s
                           # DNS servers go offline.
        edns_query=no;    # Use EDNS for outgoing queries to allow UDP messages
                           # larger than 512 bytes. May cause trouble with some
                           # legacy systems.
}
source {
        owner=localhost;
#       serve_aliases=on;
        file="/etc/hosts";
}
rr {
        name=localhost;
        reverse=on;
        a=127.0.0.1;
        owner=localhost;
        soa=localhost,root.localhost,42,86400,900,86400,86400;
}
shadowsocks

shadowsocks is a lightweight and secure socks5 proxy. It can replace the ssh tunnel. Also shadowsocks-libev has ss-redir which works as a transparent proxy, so redsocks is not needed.

sample config file for shadowsocks (/home/nemo/.shadowsocks/ss-config.json)

Code:
{
        "server":"replace_with_your_server",
        "server_port":replace_with_your_server_port,
        "local_port":7777,
        "password":"replace_with_your_password",
        "timeout":600,
        "method":"aes-256-cfb"
}
iptables

iptables needs to be set up to redirect the network traffic to our socks proxy. CAUTION: MESSING UP WITH IPTABLES MAY JAM YOUR NETWORK

a dirty script for iptables config (iptables-ss.sh)

Code:
#!/bin/sh
PORT=7777
DNSPORT=5353
SERVER=replace_with_your_server
PDNSDCFG=/etc/pdnsd.conf
SSLOG=/dev/null
SSCFG=/home/nemo/.shadowsocks/ss-config.json

if [ "$1" = "start" ] ;then
#echo "Starting pdnsd"
iptables -t nat -F
iptables -t nat -X
pkill -U $USER pdnsd
pdnsd -d -mto -c $PDNSDCFG
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports $DNSPORT #redirect dns queries
#echo "Setting iptables"

iptables -t nat -N SHADOWSOCKS
iptables -t nat -A SHADOWSOCKS -d $SERVER -j RETURN
iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports $PORT 
iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS
exit 0;
elif [ "$1" = "stop" ]; then
pkill -U $USER pdnsd
iptables -t nat -F
iptables -t nat -X
exit 0;

elif [ "$1" = "start-ss" ]; then
pkill -U $USER ss-redir
nohup ss-redir -c $SSCFG > $SSLOG &
exit 0;
elif [ "$1" = "stop-ss" ]; then
pkill -U $USER ss-redir
exit 0;
else
exit 1;
fi
iptables-ss.sh start-ss will start shadowsocks and keep it running in the background
iptables-ss.sh start will (re-)start pdnsd and set up iptables rules
iptables-ss.sh stop will do the reverse
iptables-ss.sh stop-ss will kill the shadowsocks process (not really needed)

redsocks

If ssh tunnel is preferred then redsocks is used for creating the transparent proxy.

sample config file (/home/nemo/.redsocks/redsocks.conf)
Code:
base {
        // debug: connection progress & client list on SIGUSR1
        log_debug = off;

        // info: start and end of client session
        log_info = on;

        /* possible `log' values are:
         *   stderr
         *   "file:/path/to/file"
         *   syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
         */
        log = "file:/home/nemo/.redsocks/redsocks.log";
        // log = "file:/path/to/file";
        // log = "syslog:local7";

        // detach from console
        daemon = on;

        /* Change uid, gid and root directory, these options require root
         * privilegies on startup.
         * Note, your chroot may requre /etc/localtime if you write log to syslog.
         * Log is opened before chroot & uid changing.
         */
        // user = nobody;
        // group = nobody;
        // chroot = "/var/chroot";

        /* possible `redirector' values are:
         *   iptables   - for Linux
         *   ipf        - for FreeBSD
         *   pf         - for OpenBSD
         *   generic    - some generic redirector that MAY work
         */
        redirector = iptables;
}

redsocks {
        /* `local_ip' defaults to 127.0.0.1 for security reasons,
         * use 0.0.0.0 if you want to listen on every interface.
         * `local_*' are used as port to redirect to.
         */
        local_ip = 127.0.0.1;
        local_port = 12345;

        // listen() queue length. Default value is SOMAXCONN and it should be
        // good enough for most of us.
        // listenq = 128; // SOMAXCONN equals 128 on my Linux box.

        // `max_accept_backoff` is a delay to retry `accept()` after accept
        // failure (e.g. due to lack of file descriptors). It's measured in
        // milliseconds and maximal value is 65535. `min_accept_backoff` is
        // used as initial backoff value and as a damper for `accept() after
        // close()` logic.
        // min_accept_backoff = 100;
        // max_accept_backoff = 60000;

        // `ip' and `port' are IP and tcp-port of proxy-server
        // You can also use hostname instead of IP, only one (random)
        // address of multihomed host will be used.

ip = 127.0.0.1;
port = 7777; // the ssh tunneling port


        // known types: socks4, socks5, http-connect, http-relay
        type = socks5;


}

redudp {
        // `local_ip' should not be 0.0.0.0 as it's also used for outgoing
        // packets that are sent as replies - and it should be fixed
        // if we want NAT to work properly.
        local_ip = 127.0.0.1;
        local_port = 10053;

        // `ip' and `port' of socks5 proxy server.
ip = 127.0.0.1;
port = 7777;
        // redsocks knows about two options while redirecting UDP packets at
        // linux: TPROXY and REDIRECT.  TPROXY requires more complex routing
        // configuration and fresh kernel (>= 2.6.37 according to squid
        // developers[1]) but has hack-free way to get original destination
        // address, REDIRECT is easier to configure, but requires `dest_ip` and
        // `dest_port` to be set, limiting packet redirection to single
        // destination.
        // [1] http://wiki.squid-cache.org/Features/Tproxy4
        dest_ip = 8.8.8.8;
        dest_port = 53;

        udp_timeout = 30;
        udp_timeout_stream = 180;
}

dnstc {
        // fake and really dumb DNS server that returns "truncated answer" to
        // every query via UDP, RFC-compliant resolver should repeat same query
        // via TCP in this case.
        local_ip = 127.0.0.1;
        local_port = 5300;
}

// you can add more `redsocks' and `redudp' sections if you need.
iptables config for redsocks

a dirtier iptables script for redsocks (redsocks.sh)
Code:
#!/bin/sh

IPTABLES="/sbin/iptables"
REDSOCKS="/usr/bin/redsocks"
REDSOCKSCFG="/home/nemo/.redsocks/redsocks.conf"
REDSOCKS_PORT="12345" #local_port in $REDSOCKSCFG
PDNSDCFG="/etc/pdnsd.conf"
SERVER="your_ssh_server"

if [ "$1" = "start" ]; then
        echo '(Re)starting redsocks...'
        pkill -U $USER redsocks 2>/dev/null
        sleep 1
        $REDSOCKS -c $REDSOCKSCFG
        echo '(Re)starting pdnsd'
        pkill -U $USER pdnsd 2>/dev/null
        pdnsd -d -mto -c $PDNSDCFG
        $IPTABLES -t nat -F
        $IPTABLES -t nat -X
        $IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353 #redirect dns queries


        $IPTABLES -t nat -D PREROUTING -p tcp -j REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -D OUTPUT     -p tcp -j REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -F REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -X REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -F REDSOCKS 2>/dev/null
        $IPTABLES -t nat -X REDSOCKS 2>/dev/null

# Create our own chain
        $IPTABLES -t nat -N REDSOCKS
        $IPTABLES -t nat -N REDSOCKS_FILTER

# Do not try to redirect local traffic
        $IPTABLES -t nat -I REDSOCKS_FILTER -o lo -j RETURN


# Do not redirect LAN traffic and some other reserved addresses. (blacklist option)
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 0.0.0.0/8 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 10.0.0.0/8 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 127.0.0.0/8 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 169.254.0.0/16 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 172.16.0.0/12 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 192.168.0.0/16 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 224.0.0.0/4 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 240.0.0.0/4 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d $SERVER -j RETURN 
        $IPTABLES -t nat -A REDSOCKS_FILTER -j REDSOCKS

# Redirect all traffic that gets to the end of our chain
        $IPTABLES -t nat -A REDSOCKS   -p tcp -j REDIRECT --to-port $REDSOCKS_PORT

## Filter all traffic from the own host
## BE CAREFULL HERE IF THE SOCKS-SERVER RUNS ON THIS MACHINE
        $IPTABLES -t nat -A OUTPUT     -p tcp -j REDSOCKS_FILTER

# Filter all traffic that is routed over this host
        $IPTABLES -t nat -A PREROUTING -p tcp -j REDSOCKS_FILTER

        echo IPtables reconfigured.
        exit 0;
elif [ "$1" = "stop" ]; then
        $IPTABLES -t nat -F
        $IPTABLES -t nat -X
        killall redsocks
        killall pdnsd
        exit 0;
else
        exit 1;
fi
(set up an ssh tunnel first)
redsocks.sh start : start redsocks, pdnsd and set up iptables rules
redsocks.sh stop : undo everything

Proxychains

proxychains is a hook preloader that allows to redirect TCP traffic of existing dynamically linked programs through one or more SOCKS or HTTP proxies.

It can be used to launch a single app whose traffic will go through a chains of proxies defined in /etc/proxychains.conf (default is 127.0.0.1:9050 for tor). Domain names are resolved in the proxy side.

Usage example:
Code:
proxychains4 sailfish-browser
Works fine with ssh tunnel and ss-local, but does not work with ss-redir

issues

No gui (yet)
The network gets jammed after switching from wifi to 3g or vice versa. The iptables scripts need to be restarted after every network switching. Not sure about the cause, maybe the rules are messed up after all...

Last edited by gexc; 2014-08-31 at 17:02.
 

The Following 5 Users Say Thank You to gexc For This Useful Post:
Guest | Posts: n/a | Thanked: 0 times | Joined on
#2
thanks, I will try this trick with my tor package
 
Posts: 64 | Thanked: 36 times | Joined on Feb 2012 @ US
#3
shadowsocks-libev compiles and works out-of-the-box
 
Posts: 64 | Thanked: 36 times | Joined on Feb 2012 @ US
#4
bump for some update
 
Posts: 1 | Thanked: 0 times | Joined on May 2014 @ 拆呐国
#5
great job
But still feel slightly more power consumption
 
Guest | Posts: n/a | Thanked: 0 times | Joined on
#6
unfortunately the solution that works (tordns with iptables) gives another issue in my experience - it seems Store doesnt like it, I assume its due to tordns not having dns records for Jolla repositories.
So, the proxy/iptables or just having the browser using tor (like my package) seems to be the compromise ATM.
 
Posts: 64 | Thanked: 36 times | Joined on Feb 2012 @ US
#7
Originally Posted by nieldk View Post
unfortunately the solution that works (tordns with iptables) gives another issue in my experience - it seems Store doesnt like it, I assume its due to tordns not having dns records for Jolla repositories.
So, the proxy/iptables or just having the browser using tor (like my package) seems to be the compromise ATM.
is it possible to put the ip of releases.jolla.com in /etc/hosts to avoid the dns query altogether ?

Last edited by gexc; 2014-05-19 at 02:33.
 
Posts: 63 | Thanked: 37 times | Joined on Jul 2010
#8
So I installed nieldk's Tor package from the warhouse store.
According to the package notes it'll setup a proxy for the webbrowser.

Is it possible to make the phone completely transparant by using tordns and iptables? With the ability to switch between 3G and Wifi?
 
Posts: 64 | Thanked: 36 times | Joined on Feb 2012 @ US
#9
Originally Posted by MastaG View Post
So I installed nieldk's Tor package from the warhouse store.
According to the package notes it'll setup a proxy for the webbrowser.

Is it possible to make the phone completely transparant by using tordns and iptables? With the ability to switch between 3G and Wifi?
redsocks/iptables should work with tor, I haven't tried though.

It seems there is no auto-switching. After network switching iptables have to be toggled off and on again manually. Haven't figure out why...
 
Guest | Posts: n/a | Thanked: 0 times | Joined on
#10
Originally Posted by gexc View Post
redsocks/iptables should work with tor, I haven't tried though.

It seems there is no auto-switching. After network switching iptables have to be toggled off and on again manually. Haven't figure out why...
you can make that automatic with some systemd magic, which can reload eg iptables after network switch
 

The Following User Says Thank You to For This Useful Post:
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 18:18.