The basics of transparent proxying using 3proxy and iptables / netfilter or how to “let everything through a proxy”
In this article, I would like to disclose the possibilities of transparent proxying, which allows you to completely redirect all or part of traffic through external proxy servers unnoticed by clients.
When I started to solve this problem, I ran into the fact that its implementation has one significant problem - the HTTPS protocol. In the good old days, there were no special problems with HTTP transparent proxying, but when HTTPS is proxied, browsers report interfering with the protocol, and that’s the end of it.
In common instructions to the Squid proxy server, they even offer to generate a self-signed certificate and install it to clients, which iscompletely unreasonable nonsense and looks like a MITM attack. I know that Squid already knows how to do something like this, but this article is about a proven and working method using 3proxy from the respected 3APA3A.
')
Next, we will look at the process of building 3proxy from source, its configuration, full and selective proxying using NAT, distributing a channel to several external proxy servers, as well as using a router and static routes. We use Debian 9 x64 as the OS. Getting started!
1. Install ifconfig (from the net-tools package)
2. Install Midnigth Commander
3. We now have 2 interfaces:
enp0s3 - external, looks in the Internet
enp0s8 - internal, must look into the local network
In other Debian-based distributions, interfaces are commonly referred to as eth0 and eth1.
When I started to solve this problem, I ran into the fact that its implementation has one significant problem - the HTTPS protocol. In the good old days, there were no special problems with HTTP transparent proxying, but when HTTPS is proxied, browsers report interfering with the protocol, and that’s the end of it.
In common instructions to the Squid proxy server, they even offer to generate a self-signed certificate and install it to clients, which is
')
Next, we will look at the process of building 3proxy from source, its configuration, full and selective proxying using NAT, distributing a channel to several external proxy servers, as well as using a router and static routes. We use Debian 9 x64 as the OS. Getting started!
Installing 3proxy and running a regular proxy server
1. Install ifconfig (from the net-tools package)
apt-get install net-tools2. Install Midnigth Commander
apt-get install mc3. We now have 2 interfaces:
enp0s3 - external, looks in the Internet
enp0s8 - internal, must look into the local network
In other Debian-based distributions, interfaces are commonly referred to as eth0 and eth1.
ifconfig -aInterfaces
enp0s3: flags = 4163 <UP, BROADCAST, RUNNING, MULTICAST> mtu 1500
inet 192.168.23.11 netmask 255.255.255.0 broadcast 192.168.23.255
inet6 fe80 :: a00: 27ff: fec2: bae4 prefixlen 64 scopeid 0x20 ether 08: 00: 27: c2: ba: e4 txqueuelen 1000 (Ethernet)
RX packets 6412 bytes 8676619 (8.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1726 bytes 289128 (282.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp0s8: flags = 4098 <BROADCAST, MULTICAST> mtu 1500
ether 08: 00: 27: 79: a7: e3 txqueuelen 1000 (ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags = 73 <UP, LOOPBACK, RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 :: 1 prefixlen 128 scopeid 0x10 loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
The enp0s8 interface is not currently used, we will enable it when we want to use the Proxy NAT or NAT configuration. It is then logical to assign him a static ip.
4. Proceed to install 3proxy
4.1 Installing the base packages for compiling 3proxy from source
4.2. Create a folder for downloading the archive with source codes.
4.3. Go to this folder
4.4. Now download the latest 3proxy package. At the time of this writing, the latest stable version was 0.8.12 (04/18/2018). We download it from the official 3proxy website.
4.5. Unpack the downloaded archive
4.6. Go to the unpacked directory to build the program.
4.7. Next, you need to add a line to the header file so that our server is completely anonymous (it really works, everything is checked, ip clients are hidden)
Add a string
Press Ctrl + x and Enter to save the changes.
4.8. Let's start building the program
No errors, we continue.
4.9. Install the program in the system
4.10. Go to the root directory and check where the program is installed.
3proxy: / usr / local / bin / 3proxy / usr / local / etc / 3proxy
4.11. Create a folder for configuration files and logs in the user's home directory.
4.12. Go to the directory where the config should be
4.13. Create an empty file and copy the config there.
To save, press Ctrl + Z
4.14. Create a pid - file so that there are no errors at startup.
To save, press Ctrl + Z
4.15. We start a proxy server!
4.16. Let's see if the server is listening to ports.
As it was written in the config, the web proxy listens to our port 8080, Socks5 proxy - 3128.
4.17. To automate the proxy service after reboot, you need to add it to cron.
Add a string
Press Enter, because cron should see the end of line symbol and save the file.
There should be a message about installing a new crontab.
crontab: installing new crontab
4.18. Reboot the system and try to connect to the proxy via a browser. For verification, we use the Firefox browser (for web proxies) and the FoxyProxy add-on for socks5 with authentication.
4.19. Checking the work of the proxy after the reboot, you can see the logs. This completes the proxy server configuration.
In this configuration, all devices on the internal network will work transparently on the Internet through a remote proxy server. Absolutely all tcp connections will be redirected to one or several (really expands the channel width, configuration example number 2!) Proxy servers. DNS will use 3proxy features (dnspr). UDP will not "go" outside, since we do not use the forward mechanism yet (it is disabled by default in the Linux kernel).
1. It’s time to enable the interface enp0s8
Here we assigned the interface enp0s8 a static address 192.168.201.254 and a mask 255.255.255.0
Save the config Ctrl + X and reboot
2. Check the interfaces
inet 192.168.23.11 netmask 255.255.255.0 broadcast 192.168.23.255
inet6 fe80 :: a00: 27ff: fec2: bae4 prefixlen 64 scopeid 0x20 ether 08: 00: 27: c2: ba: e4 txqueuelen 1000 (Ethernet)
RX packets 6412 bytes 8676619 (8.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1726 bytes 289128 (282.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp0s8: flags = 4098 <BROADCAST, MULTICAST> mtu 1500
ether 08: 00: 27: 79: a7: e3 txqueuelen 1000 (ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags = 73 <UP, LOOPBACK, RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 :: 1 prefixlen 128 scopeid 0x10 loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
The enp0s8 interface is not currently used, we will enable it when we want to use the Proxy NAT or NAT configuration. It is then logical to assign him a static ip.
4. Proceed to install 3proxy
4.1 Installing the base packages for compiling 3proxy from source
root@debian9:~# apt-get install build-essential libevent-dev libssl-dev -y4.2. Create a folder for downloading the archive with source codes.
root@debian9:~# mkdir -p /opt/proxy4.3. Go to this folder
root@debian9:~# cd /opt/proxy
4.4. Now download the latest 3proxy package. At the time of this writing, the latest stable version was 0.8.12 (04/18/2018). We download it from the official 3proxy website.
root@debian9:/opt/proxy# wget https://github.com/z3APA3A/3proxy/archive/0.8.12.tar.gz
4.5. Unpack the downloaded archive
root@debian9:/opt/proxy# tar zxvf 0.8.12.tar.gz4.6. Go to the unpacked directory to build the program.
root@debian9:/opt/proxy# cd 3proxy-0.8.124.7. Next, you need to add a line to the header file so that our server is completely anonymous (it really works, everything is checked, ip clients are hidden)
root@debian9:/opt/proxy/3proxy-0.8.12# nano +29 src/proxy.hAdd a string
#define ANONYMOUS 1
Press Ctrl + x and Enter to save the changes.
4.8. Let's start building the program
root@debian9:/opt/proxy/3proxy-0.8.12# make -f Makefile.LinuxMakelog
make [2]: Leaving directory '/opt/proxy/3proxy-0.8.12/src/plugins/TransparentPlugin'
make [1]: Leaving directory '/opt/proxy/3proxy-0.8.12/src'
make [1]: Leaving directory '/opt/proxy/3proxy-0.8.12/src'
No errors, we continue.
4.9. Install the program in the system
root@debian9:/opt/proxy/3proxy-0.8.12# make -f Makefile.Linux install4.10. Go to the root directory and check where the program is installed.
root@debian9:/opt/proxy/3proxy-0.8.12# cd ~/
root@debian9:~# whereis 3proxy3proxy: / usr / local / bin / 3proxy / usr / local / etc / 3proxy
4.11. Create a folder for configuration files and logs in the user's home directory.
root@debian9:~# mkdir -p /home/joke/proxy/logs4.12. Go to the directory where the config should be
root@debian9:~# cd /home/joke/proxy/4.13. Create an empty file and copy the config there.
root@debian9:/home/joke/proxy# cat > 3proxy.conf3proxy.conf
daemon
pidfile /home/joke/proxy/3proxy.pid
nserver 8.8.8.8
nscache 65536
users tester: CL: 1234
timeouts 1 5 30 60 180 1800 16 60
log /home/joke/proxy/logs/3proxy.log D
logformat "- + _L% t.%.% N.% p% E% U% C:% c% R:% r% O% I% h% T"
rotate 3
auth strong
flush
allow tester
socks -p3128
proxy -p8080
pidfile /home/joke/proxy/3proxy.pid
nserver 8.8.8.8
nscache 65536
users tester: CL: 1234
timeouts 1 5 30 60 180 1800 16 60
log /home/joke/proxy/logs/3proxy.log D
logformat "- + _L% t.%.% N.% p% E% U% C:% c% R:% r% O% I% h% T"
rotate 3
auth strong
flush
allow tester
socks -p3128
proxy -p8080
To save, press Ctrl + Z
4.14. Create a pid - file so that there are no errors at startup.
root@debian9:/home/joke/proxy# cat > 3proxy.pidTo save, press Ctrl + Z
4.15. We start a proxy server!
root@debian9:/home/joke/proxy# 3proxy /home/joke/proxy/3proxy.conf4.16. Let's see if the server is listening to ports.
root@debian9:~/home/joke/proxy# netstat -nlpnetstat log
Active Internet connections (only servers)
Proto Recd-Q Send-Q Local Program PID / Program Name
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 504 / 3proxy
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 338 / sshd
tcp 0 0 0.0.0.0ل128 0.0.0.0:* LISTEN 504 / 3proxy
tcp6 0 0 ::: 22 ::: * LISTEN 338 / sshd
udp 0 0 0.0.0.0:68 0.0.0.0:* 352 / dhclient
Proto Recd-Q Send-Q Local Program PID / Program Name
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 504 / 3proxy
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 338 / sshd
tcp 0 0 0.0.0.0ل128 0.0.0.0:* LISTEN 504 / 3proxy
tcp6 0 0 ::: 22 ::: * LISTEN 338 / sshd
udp 0 0 0.0.0.0:68 0.0.0.0:* 352 / dhclient
As it was written in the config, the web proxy listens to our port 8080, Socks5 proxy - 3128.
4.17. To automate the proxy service after reboot, you need to add it to cron.
root@debian9:/home/joke/proxy# crontab -eAdd a string
@reboot /usr/local/bin/3proxy /home/joke/proxy/3proxy.confPress Enter, because cron should see the end of line symbol and save the file.
There should be a message about installing a new crontab.
crontab: installing new crontab
4.18. Reboot the system and try to connect to the proxy via a browser. For verification, we use the Firefox browser (for web proxies) and the FoxyProxy add-on for socks5 with authentication.
root@debian9:/home/joke/proxy# reboot4.19. Checking the work of the proxy after the reboot, you can see the logs. This completes the proxy server configuration.
3 proxy log
1542573996.018 PROXY.8080 00000 tester 192.168.23.10:50915 217.12.15.54:443 1193 6939 0 CONNECT_ads.yahoo.com:443_HTTP/1.1
1542574289.634 SOCK5.3128 00000 tester 192.168.23.10 1193 54.192.13.69:443 0 0 0 CONNECT_normandy.cdn.mozilla.net:443
1542574289.634 SOCK5.3128 00000 tester 192.168.23.10 1193 54.192.13.69:443 0 0 0 CONNECT_normandy.cdn.mozilla.net:443
Configure and run the Transparent Proxy NAT configuration
In this configuration, all devices on the internal network will work transparently on the Internet through a remote proxy server. Absolutely all tcp connections will be redirected to one or several (really expands the channel width, configuration example number 2!) Proxy servers. DNS will use 3proxy features (dnspr). UDP will not "go" outside, since we do not use the forward mechanism yet (it is disabled by default in the Linux kernel).
1. It’s time to enable the interface enp0s8
root@debian9:~# nano /etc/network/interfaces/ etc / network / interfaces file
# This file is the network interfaces available on your system
# and how to activate them. For more information, see interfaces (5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet dhcp
# The secondary network interface
allow-hotplug enp0s8
iface enp0s8 inet static
address 192.168.201.254
netmask 255.255.255.0
# and how to activate them. For more information, see interfaces (5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet dhcp
# The secondary network interface
allow-hotplug enp0s8
iface enp0s8 inet static
address 192.168.201.254
netmask 255.255.255.0
Here we assigned the interface enp0s8 a static address 192.168.201.254 and a mask 255.255.255.0
Save the config Ctrl + X and reboot
root@debian9:~# reboot2. Check the interfaces
root@debian9:~# ifconfigifconfig log
enp0s3: flags = 4163 <UP, BROADCAST, RUNNING, MULTICAST> mtu 1500
inet 192.168.23.11 netmask 255.255.255.0 broadcast 192.168.23.255
inet6 fe80 :: a00: 27ff: fec2: bae4 prefixlen 64 scopeid 0x20 ether 08: 00: 27: c2: ba: e4 txqueuelen 1000 (Ethernet)
RX packets 61 bytes 7873 (7.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 65 bytes 10917 (10.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp0s8: flags = 4163 <UP, BROADCAST, RUNNING, MULTICAST> mtu 1500
inet 192.168.201.254 netmask 255.255.255.0 broadcast 192.168.201.255
inet6 fe80 :: a00: 27ff: fe79: a7e3 prefixlen 64 scopeid 0x20 ether 08: 00: 27: 79: a7: e3 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags = 73 <UP, LOOPBACK, RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 :: 1 prefixlen 128 scopeid 0x10 loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
3. Everything turned out, now you need to configure 3proxy for transparent proxying.
4. Now we start 3proxy with a new config
5. Add crontab again
6. Let's see what our proxy is listening to now.
7. Now the proxy is ready to accept any TCP connections on port 888, DNS on port 53, in order to redirect them to remote socks5 - proxy and DNS Google 8.8.8.8. It remains for us to configure the rules of netfilter (iptables) and DHCP to issue addresses.
8. Install the iptables-persistent and dhcpd package
9. Rule the startup file dhcpd
11. Reboot and check the service on port 67
12. It remains to redirect all tcp requests to port 888 and save the rule in iptables
13. To extend the bandwidth of the channel, you can use several proxy servers at once. The total amount should be 1000. New connections are established with a probability of 0.2, 0.2, 0.2, 0.2, 0.1, 0.1 to the specified proxy servers.
Note: if we have a web proxy, then instead of socks5 you need to write connect, if socks4, then socks4 (socks4 DOES NOT SUPPORT AUTHORIZATION LOGIN / PASSWORD!)
In this configuration, we will use the usual NAT mechanism with selective or full transparent proxying of individual addresses or subnets. Users of the internal network will work with certain services / subnets without even knowing that they work through a proxy. All https connections work fine, no certificates need to be generated / replaced.
To begin with, let's decide which subnets / services we want to proxy. Suppose that external proxy servers are where a service such as pandora.com is running. It now remains to determine its subnets / addresses.
1. We ping
PING pandora.com (208.85.40.20) 56 (84) bytes of data.
2. We type in Google BGP 208.85.40.20
Go to the website bgp.he.net/net/208.85.40.0/24#_netinfo
It can be seen that I am asking for a subnet as AS40428 Pandora Media, Inc.
bgp.he.net/net/208.85.40.0/24#_netinfo
We open v4 prefixes
bgp.he.net/AS40428#_prefixes
Here are the required subnets!
199.116.161.0/24
199.116.162.0/24
199.116.164.0/23
199.116.164.0/24
199.116.165.0/24
208.85.40.0/24
208.85.41.0/24
208.85.42.0/23
208.85.42.0/24
208.85.43.0/24
208.85.44.0/24
208.85.46.0/23
208.85.46.0/24
208.85.47.0/24
3. To reduce the number of subnets, you need to perform an aggregation. Go to the site ip-calculator.ru/aggregate and copy our list there. As a result - 6 subnets instead of 14.
199.116.161.0/24
199.116.162.0/24
199.116.164.0/23
208.85.40.0/22
208.85.44.0/24
208.85.46.0/23
4. Clear iptables rules
Enable forward and NAT mechanism
To enable forward permanently after reboot, edit the file
And uncomment the line
net.ipv4.ip_forward = 1
Ctrl + X to save the file
5. Wrap pandora.com subnets in proxy
6. Let's keep the rules
In this configuration, the transparent proxy server can be a separate PC or a virtual machine behind a home / corporate router. It is enough to register static routes on the router or devices and the entire subnet will use a proxy without the need for any additional settings.
IMPORTANT! It is necessary for our gateway to receive a static IP from the router, or to be configured to static itself.
1. Set up a static gateway address (adapter enp0s3)
2. We allow devices from subnet 192.168.23.0/24 to use proxying.
3. Keep the rules
4. Write the subnets on the router
1. The official website of the program 3proxy 3proxy.ru
2. Installation instructions for 3proxy from source www.ekzorchik.ru/2015/02/how-to-take-your-socks-proxy
3. Developer 3proxy branch on GitHub github.com/z3APA3A/3proxy/issues/274
inet 192.168.23.11 netmask 255.255.255.0 broadcast 192.168.23.255
inet6 fe80 :: a00: 27ff: fec2: bae4 prefixlen 64 scopeid 0x20 ether 08: 00: 27: c2: ba: e4 txqueuelen 1000 (Ethernet)
RX packets 61 bytes 7873 (7.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 65 bytes 10917 (10.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp0s8: flags = 4163 <UP, BROADCAST, RUNNING, MULTICAST> mtu 1500
inet 192.168.201.254 netmask 255.255.255.0 broadcast 192.168.201.255
inet6 fe80 :: a00: 27ff: fe79: a7e3 prefixlen 64 scopeid 0x20 ether 08: 00: 27: 79: a7: e3 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags = 73 <UP, LOOPBACK, RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 :: 1 prefixlen 128 scopeid 0x10 loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
3. Everything turned out, now you need to configure 3proxy for transparent proxying.
root@debian9:~# cd /home/joke/proxy/
root@debian9:/home/joke/proxy# cat > 3proxytransp.confConfiguration example of transparent proxy server №1
daemon
pidfile /home/joke/proxy/3proxy.pid
nserver 8.8.8.8
nscache 65536
timeouts 1 5 30 60 180 1800 16 60
log /home/joke/proxy/logs/3proxy.log D
logformat "- + _L% t.%.% N.% p% E% U% C:% c% R:% r% O% I% h% T"
rotate 3
flush
auth iponly
dnspr
allow *
parent 1000 socks5 IP_ADDRESS_HEAD_PROXY 3128 tester 1234
plugin /opt/proxy/3proxy-0.8.12/src/TransparentPlugin.ld.so transparent_plugin
tcppm -i0.0.0.0 888 127.0.0.1 11111
pidfile /home/joke/proxy/3proxy.pid
nserver 8.8.8.8
nscache 65536
timeouts 1 5 30 60 180 1800 16 60
log /home/joke/proxy/logs/3proxy.log D
logformat "- + _L% t.%.% N.% p% E% U% C:% c% R:% r% O% I% h% T"
rotate 3
flush
auth iponly
dnspr
allow *
parent 1000 socks5 IP_ADDRESS_HEAD_PROXY 3128 tester 1234
plugin /opt/proxy/3proxy-0.8.12/src/TransparentPlugin.ld.so transparent_plugin
tcppm -i0.0.0.0 888 127.0.0.1 11111
4. Now we start 3proxy with a new config
root@debian9:/home/joke/proxy# /usr/local/bin/3proxy /home/joke/proxy/3proxytransp.conf5. Add crontab again
root@debian9:/home/joke/proxy# crontab -e
@reboot /usr/local/bin/3proxy /home/joke/proxy/3proxytransp.conf6. Let's see what our proxy is listening to now.
root@debian9:~# netstat -nlp
netstat log
Active Internet connections (only servers)
Proto Recd-Q Send-Q Local Program PID / Program Name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 349 / sshd
tcp 0 0 0.0.0.0:888 0.0.0.0:* LISTEN 354 / 3proxy
tcp6 0 0 ::: 22 ::: * LISTEN 349 / sshd
udp 0 0 0.0.0.0:53 0.0.0.0:* 354 / 3proxy
udp 0 0 0.0.0.0:68 0.0.0.0:* 367 / dhclient
Proto Recd-Q Send-Q Local Program PID / Program Name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 349 / sshd
tcp 0 0 0.0.0.0:888 0.0.0.0:* LISTEN 354 / 3proxy
tcp6 0 0 ::: 22 ::: * LISTEN 349 / sshd
udp 0 0 0.0.0.0:53 0.0.0.0:* 354 / 3proxy
udp 0 0 0.0.0.0:68 0.0.0.0:* 367 / dhclient
7. Now the proxy is ready to accept any TCP connections on port 888, DNS on port 53, in order to redirect them to remote socks5 - proxy and DNS Google 8.8.8.8. It remains for us to configure the rules of netfilter (iptables) and DHCP to issue addresses.
8. Install the iptables-persistent and dhcpd package
root@debian9:~# apt-get install iptables-persistent isc-dhcp-server9. Rule the startup file dhcpd
root@debian9:~# nano /etc/dhcp/dhcpd.confdhcpd.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks ...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
# If this is the DHCP server for the local server
# network, the authoritative directive should be uncommented.
authoritative;
# A slightly different configuration for an internal subnet.
subnet 192.168.201.0 netmask 255.255.255.0 {
range 192.168.201.10 192.168.201.250;
option domain-name-servers 192.168.201.254;
option routers 192.168.201.254;
option broadcast-address 192.168.201.255;
default-lease-time 600;
max-lease-time 7200;
}
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks ...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
# If this is the DHCP server for the local server
# network, the authoritative directive should be uncommented.
authoritative;
# A slightly different configuration for an internal subnet.
subnet 192.168.201.0 netmask 255.255.255.0 {
range 192.168.201.10 192.168.201.250;
option domain-name-servers 192.168.201.254;
option routers 192.168.201.254;
option broadcast-address 192.168.201.255;
default-lease-time 600;
max-lease-time 7200;
}
11. Reboot and check the service on port 67
root@debian9:~# reboot
root@debian9:~# netstat -nlpnetstat log
Active Internet connections (only servers)
Proto Recd-Q Send-Q Local Program PID / Program Name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 389 / sshd
tcp 0 0 0.0.0.0:888 0.0.0.0:* LISTEN 310 / 3proxy
tcp6 0 0 ::: 22 ::: * LISTEN 389 / sshd
udp 0 0 0.0.0.0:20364 0.0.0.0:* 393 / dhcpd
udp 0 0 0.0.0.0:53 0.0.0.0:* 310 / 3proxy
udp 0 0 0.0.0.0:67 0.0.0.0:* 393 / dhcpd
udp 0 0 0.0.0.0:68 0.0.0.0:* 405 / dhclient
udp6 0 0 ::: 31728 ::: * 393 / dhcpd
raw 0 0 0.0.0.0:1 0.0.0.0:* 393 / dhcpd
Proto Recd-Q Send-Q Local Program PID / Program Name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 389 / sshd
tcp 0 0 0.0.0.0:888 0.0.0.0:* LISTEN 310 / 3proxy
tcp6 0 0 ::: 22 ::: * LISTEN 389 / sshd
udp 0 0 0.0.0.0:20364 0.0.0.0:* 393 / dhcpd
udp 0 0 0.0.0.0:53 0.0.0.0:* 310 / 3proxy
udp 0 0 0.0.0.0:67 0.0.0.0:* 393 / dhcpd
udp 0 0 0.0.0.0:68 0.0.0.0:* 405 / dhclient
udp6 0 0 ::: 31728 ::: * 393 / dhcpd
raw 0 0 0.0.0.0:1 0.0.0.0:* 393 / dhcpd
12. It remains to redirect all tcp requests to port 888 and save the rule in iptables
root@debian9:~# iptables -t nat -A PREROUTING -s 192.168.201.0/24 -p tcp -j REDIRECT --to-ports 888root@debian9:~# iptables-save > /etc/iptables/rules.v413. To extend the bandwidth of the channel, you can use several proxy servers at once. The total amount should be 1000. New connections are established with a probability of 0.2, 0.2, 0.2, 0.2, 0.1, 0.1 to the specified proxy servers.
Note: if we have a web proxy, then instead of socks5 you need to write connect, if socks4, then socks4 (socks4 DOES NOT SUPPORT AUTHORIZATION LOGIN / PASSWORD!)
Configuration example of transparent proxy server №2
daemon
pidfile /home/joke/proxy/3proxy.pid
nserver 8.8.8.8
nscache 65536
maxconn 500
timeouts 1 5 30 60 180 1800 16 60
log /home/joke/proxy/logs/3proxy.log D
logformat "- + _L% t.%.% N.% p% E% U% C:% c% R:% r% O% I% h% T"
rotate 3
flush
auth iponly
dnspr
allow *
parent 200 socks5 IP_ADDRESS_NEW_PROXY№1 3128 tester 1234
parent 200 socks5 IP_ADDRESS_NEW_PROXY№2 3128 tester 1234
parent 200 socks5 IP_ADDRESS_NEW_PROXY№3 3128 tester 1234
parent 200 socks5 IP_ADDRESS_NEW_PROXY№4 3128 tester 1234
parent 100 socks5 IP_ADDRESS_NEW_PROXI№5 3128 tester 1234
parent 100 socks5 IP_ADDRESS_NEW_PROXY№6 3128 tester 1234
plugin /opt/proxy/3proxy-0.8.12/src/TransparentPlugin.ld.so transparent_plugin
tcppm -i0.0.0.0 888 127.0.0.1 11111
pidfile /home/joke/proxy/3proxy.pid
nserver 8.8.8.8
nscache 65536
maxconn 500
timeouts 1 5 30 60 180 1800 16 60
log /home/joke/proxy/logs/3proxy.log D
logformat "- + _L% t.%.% N.% p% E% U% C:% c% R:% r% O% I% h% T"
rotate 3
flush
auth iponly
dnspr
allow *
parent 200 socks5 IP_ADDRESS_NEW_PROXY№1 3128 tester 1234
parent 200 socks5 IP_ADDRESS_NEW_PROXY№2 3128 tester 1234
parent 200 socks5 IP_ADDRESS_NEW_PROXY№3 3128 tester 1234
parent 200 socks5 IP_ADDRESS_NEW_PROXY№4 3128 tester 1234
parent 100 socks5 IP_ADDRESS_NEW_PROXI№5 3128 tester 1234
parent 100 socks5 IP_ADDRESS_NEW_PROXY№6 3128 tester 1234
plugin /opt/proxy/3proxy-0.8.12/src/TransparentPlugin.ld.so transparent_plugin
tcppm -i0.0.0.0 888 127.0.0.1 11111
Configuring and running the NAT + Transparent Proxy configuration
In this configuration, we will use the usual NAT mechanism with selective or full transparent proxying of individual addresses or subnets. Users of the internal network will work with certain services / subnets without even knowing that they work through a proxy. All https connections work fine, no certificates need to be generated / replaced.
To begin with, let's decide which subnets / services we want to proxy. Suppose that external proxy servers are where a service such as pandora.com is running. It now remains to determine its subnets / addresses.
1. We ping
root@debian9:~# ping pandora.comPING pandora.com (208.85.40.20) 56 (84) bytes of data.
2. We type in Google BGP 208.85.40.20
Go to the website bgp.he.net/net/208.85.40.0/24#_netinfo
It can be seen that I am asking for a subnet as AS40428 Pandora Media, Inc.
bgp.he.net/net/208.85.40.0/24#_netinfo
We open v4 prefixes
bgp.he.net/AS40428#_prefixes
Here are the required subnets!
199.116.161.0/24
199.116.162.0/24
199.116.164.0/23
199.116.164.0/24
199.116.165.0/24
208.85.40.0/24
208.85.41.0/24
208.85.42.0/23
208.85.42.0/24
208.85.43.0/24
208.85.44.0/24
208.85.46.0/23
208.85.46.0/24
208.85.47.0/24
3. To reduce the number of subnets, you need to perform an aggregation. Go to the site ip-calculator.ru/aggregate and copy our list there. As a result - 6 subnets instead of 14.
199.116.161.0/24
199.116.162.0/24
199.116.164.0/23
208.85.40.0/22
208.85.44.0/24
208.85.46.0/23
4. Clear iptables rules
root@debian9:~# iptables -F
root@debian9:~# iptables -X
root@debian9:~# iptables -t nat -F
root@debian9:~# iptables -t nat -XEnable forward and NAT mechanism
root@debian9:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@debian9:~# iptables -A FORWARD -i enp0s3 -o enp0s8 -j ACCEPT
root@debian9:~# iptables -A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT
root@debian9:~# iptables -t nat -A POSTROUTING -o enp0s3 -s 192.168.201.0/24 -j MASQUERADETo enable forward permanently after reboot, edit the file
root@debian9:~# nano /etc/sysctl.confAnd uncomment the line
net.ipv4.ip_forward = 1
Ctrl + X to save the file
5. Wrap pandora.com subnets in proxy
root@debian9:~# iptables -t nat -A PREROUTING -s 192.168.201.0/24 -d 199.116.161.0/24,199.116.162.0/24,199.116.164.0/23,208.85.40.0/22,208.85.44.0/24,208.85.46.0/23 -p tcp -j REDIRECT --to-ports 8886. Let's keep the rules
root@debian9:~# iptables-save > /etc/iptables/rules.v4Setting up and running the configuration Transparent Proxy via router
In this configuration, the transparent proxy server can be a separate PC or a virtual machine behind a home / corporate router. It is enough to register static routes on the router or devices and the entire subnet will use a proxy without the need for any additional settings.
IMPORTANT! It is necessary for our gateway to receive a static IP from the router, or to be configured to static itself.
1. Set up a static gateway address (adapter enp0s3)
root@debian9:~# nano /etc/network/interfaces/ etc / network / interfaces file
# This file is the network interfaces available on your system
# and how to activate them. For more information, see interfaces (5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet static
address 192.168.23.2
netmask 255.255.255.0
gateway 192.168.23.254
# The secondary network interface
allow-hotplug enp0s8
iface enp0s8 inet static
address 192.168.201.254
netmask 255.255.255.0
# and how to activate them. For more information, see interfaces (5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet static
address 192.168.23.2
netmask 255.255.255.0
gateway 192.168.23.254
# The secondary network interface
allow-hotplug enp0s8
iface enp0s8 inet static
address 192.168.201.254
netmask 255.255.255.0
2. We allow devices from subnet 192.168.23.0/24 to use proxying.
root@debian9:~# iptables -t nat -A PREROUTING -s 192.168.23.0/24 -d 199.116.161.0/24,199.116.162.0/24,199.116.164.0/23,208.85.40.0/22,208.85.44.0/24,208.85.46.0/23 -p tcp -j REDIRECT --to-ports 8883. Keep the rules
root@debian9:~# iptables-save > /etc/iptables/rules.v44. Write the subnets on the router
Router network list
199.116.161.0 255.255.255.0 192.168.23.2
199.116.162.0 255.255.255.0 192.168.23.2
199.116.164.0 255.255.254.0 192.168.23.2
208.85.40.0 255.255.252.0 192.168.23.2
208.85.44.0 255.255.255.0 192.168.23.2
208.85.46.0 255.255.254.0 192.168.23.2
199.116.162.0 255.255.255.0 192.168.23.2
199.116.164.0 255.255.254.0 192.168.23.2
208.85.40.0 255.255.252.0 192.168.23.2
208.85.44.0 255.255.255.0 192.168.23.2
208.85.46.0 255.255.254.0 192.168.23.2
Used materials / resources
1. The official website of the program 3proxy 3proxy.ru
2. Installation instructions for 3proxy from source www.ekzorchik.ru/2015/02/how-to-take-your-socks-proxy
3. Developer 3proxy branch on GitHub github.com/z3APA3A/3proxy/issues/274
Source: https://habr.com/ru/post/460469/
All Articles