[plug] plug Digest, Vol 147, Issue 7

Brad Campbell brad at fnarfbargle.com
Mon Aug 29 08:54:25 AWST 2016 

On 27/08/16 12:54, Brett Stephens wrote:

>>
>> Message: 1
>> Date: Thu, 25 Aug 2016 16:00:00 +0300
>> From: Brett Stephens <fhht15687 at yandex.com>
>> To: "plug at plug.org.au" <plug at plug.org.au>
>> Subject: [plug] raspberry pi transparent proxy problem iptables
>>         redirect (plaintext)
>> Message-ID: <741311472114689 at web9h.yandex.ru>
>> Content-Type: text/plain
>>
>> Hi,
>>
>> So I'm building a transparent raspberry pi proxy using privoxy (socks5) , tor and openwrt.
>>
>> Have got it working but none of the iptable redirect rules are working. I know this isn't a new problem, but none of the example solutions online are working.
>>
>> The idea is someone connects to wifi and the connection gets rerouted to tor without the clients setting up proxies manually or using proxy scripts.
>>
>> I also have multiple interfaces (subnets) on openwrt which might or might not complicate things.
>>
>> Client machine:
>> interface: wlan0-1
>> ip: 192.168.9.168
>>
>> raspberry pi proxy server
>> interface: br-lan
>> ip: 192.168.1.105
>> privoxy port: 8118
>>
>> wireless router openwrt
>>
>> iptable rules which aren't working:
>>
>> iptables -t nat -A PREROUTING -i wlan0-1 -s ! 192.168.1.105 -p tcp --dport 80 -j DNAT --to 192.168.1.105:8118
>> iptables -t nat -A PREROUTING -i wlan0-1 -s ! 192.168.1.105 -p tcp --dport 443 -j DNAT --to 192.168.1.105:8118
>> iptables -t nat -A POSTROUTING -o wlan0-1 -s 192.168.9.0/24 -d 192.168.1.55 -j SNAT --to 192.168.9.1
>> iptables -A FORWARD -s 192.168.9.1/24 -d 192.168.1.55 -i wlan0-1 -o wlan0-1 -p tcp --dport 8118 -j ACCEPT
>>
>> They're basically rewritten from: http://www.tldp.org/HOWTO/TransparentProxy-6.html
>>
>> The setup works if I manually setup socks5 proxies to 192.168.1.105:8118 but the automatic redirects don't work.
>>
>> Also I've edited the privoxy config file to allow intercepted connections '1'.
>>
>> Any help would be appreciated.
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Thu, 25 Aug 2016 21:32:11 +0800
>> From: Brad Campbell <brad at fnarfbargle.com>
>> To: plug at plug.org.au
>> Subject: Re: [plug] raspberry pi transparent proxy problem iptables
>>         redirect (plaintext)
>> Message-ID: <529d647e-6f8d-8dcf-d5f9-54e4771f0f63 at fnarfbargle.com>
>> Content-Type: text/plain; charset=windows-1252; format=flowed
>>
>> On 25/08/16 21:00, Brett Stephens wrote:
>>>  Hi,
>>>
>>>  So I'm building a transparent raspberry pi proxy using privoxy (socks5) , tor and openwrt.
>>>
>>>  Have got it working but none of the iptable redirect rules are working. I know this isn't a new problem, but none of the example solutions online are working.
>>>
>>>  The idea is someone connects to wifi and the connection gets rerouted to tor without the clients setting up proxies manually or using proxy scripts.
>>>
>>>  I also have multiple interfaces (subnets) on openwrt which might or might not complicate things.
>>>
>>>  Client machine:
>>>  interface: wlan0-1
>>>  ip: 192.168.9.168
>>>
>>>  raspberry pi proxy server
>>>  interface: br-lan
>>>  ip: 192.168.1.105
>>>  privoxy port: 8118
>>>
>>>  wireless router openwrt
>>>
>>>  iptable rules which aren't working:
>>
>> Is your default gateway 192.168.1.105 for your clients?
>
> Without the proxy the default gateway is just 192.168.9.1 for clients.
>
> But the default gateway for the raspberry pi proxy is 192.168.1.1
>
> 192.168.9.1 points to the same device as 192.168.1.1 (an openwrt router).
>
> I hope that makes sense.

Only in the vaguest meaning of the word.

You probably need to give us some real detail on how this is all 
configured. It's not clear from your description what goes where and how 
you expect the packets to flow.

I *assume* your router and all your clients are on 192.168.9.x and your 
router serves dhcp to the clients. Your client default gateway is 
192.168.9.1 and your router has another interface that it routes 
outbound traffic through that is not wlan0-1.

If you're not getting a DNAT then either you have other firewall rules 
that are being matched before they get to the DNAT section or the 
inbound packets are not actually being routed like you think they are. 
Have you tried watching the requests with tcpdump on the router so you 
can verify they are actually framed like you think they should be?

Without a complete picture I'm kinda in the dark about what you actually 
expect to happen.

More information about the plug mailing list