0

I have an HTTP proxy and I can use it for all protocols (tried and tested). I want to use it transparently from my DD-WRT router with IPtables, while excluding the local network (192.168.1.0/24).

What are the iptables rules that will do this for me on the router?

Hameer Abbasi
  • 153
  • 4
  • Well, for local network traffic it shouldn't be getting routed by the DD-WRT in the first place - couldn't you just proxy everything? – Shane Madden Oct 18 '15 at 17:21
  • I could. Point is, I haven't found a way to proxy all protocols over an HTTP proxy with IPtables yet. – Hameer Abbasi Oct 18 '15 at 21:34
  • By "all protocols", do you mean HTTPS? Because of the SSL spoofing required to transparently spoof HTTPS traffic, simple iptables proxying isn't enough; you need to have something that's generating the spoofed certificates. – Shane Madden Oct 19 '15 at 00:48

1 Answers1

1

Sites are increasingly using Certificate Pinning mechanisms which can break HTTPS access when using a Man-In-The-Middle proxy. Transparent proxies never worked well with HTTPS, and are becoming increasing broken. You can block traffic on port 443 except from the proxy. This will prevent unproxied requests. It is possible to use iptables to redirect unencryped (HTTP) requests to a transparent proxy.

I would suggest publishing a "wpad.dat" file directing Internet bound traffic to your proxy. Many clients use automatic proxy discovery. This will enable clients to connect to the proxy in using non-transparent mechanisms, that will allow HTTPS connections.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • My basic purpose in doing this is to proxy those apps which don't support it _at all_. I've seen that this proxy supports SSL tunelling (HexChat with an SSL IRC server and Firefox with HTTPS servers work fine). I know it can be done transparently with IPTables indirectly, see [ProxyDroid](https://github.com/madeye/proxydroid) and [TransProxy](http://transproxy.sourceforge.net/). – Hameer Abbasi Oct 20 '15 at 12:52
  • @HameerAbbasi None of those solutions will transparently proxy HTTPS. A couple can transparently proxy HTTP. Part of the reason to use HTTPS is to avoid transparent proxies which are often used for Man in the Middle attacks. – BillThor Oct 21 '15 at 00:17
  • 1
    Weird thing is, ProxyDroid (which uses TransProxy) works with HTTPS. I'm not talking about breaking SSL, just about encapsulating and deencapsulating it. – Hameer Abbasi Oct 21 '15 at 08:31
  • @HameerAbbasi You can forward HTTPS to a tunnel server using IPTables. This appears one of the solutions ProxyDroid offers, but it is not a transparent proxy. It also offers other solutions including a proxy which is transparent for HTTP and offers CONNECT to HTTPS. – BillThor Oct 23 '15 at 00:32
  • CONNECT seems to be what I want. Feel free to edit my question to say that. – Hameer Abbasi Oct 24 '15 at 12:31