[SOLVED] tinyproxy local http proxy

light9876 · 2020-04-22 21:34:14

I'm running a local tinyproxy, and I want to use iptables to direct all http traffic to it:

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -m comment --comment "transparent http proxy" -s 172.16.1.0/24 -j DNAT --to-destination 172.16.1.1:8888

I got this command from this 2 minute video:
https://youtu.be/lPlWmglC5qU

But since I'm running tinyproxy locally, I'm changing it to:

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -m comment --comment "transparent http proxy" -s 127.0.0.1 -j DNAT --to-destination 127.0.0.1:8888

But it won't work. Is there anything wrong with it?

Note: tinyproxy works okay when I add a [127.0.0.1:8888] proxy to my browser (firefox). So tinyproxy definitely works.

Last edited by light9876 (2021-10-16 19:05:58)

fukawi2 · 2020-04-22 23:54:51

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -m comment --comment "transparent http proxy" -s 127.0.0.1 -j DNAT --to-destination 127.0.0.1:8888

The packets won't have a source address of 127.0.0.1, they will have a source address of one of your routable IP addresses on your host. Remove the -s argument.

light9876 · 2020-04-23 07:08:23

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -m comment --comment "transparent http proxy" -j DNAT --to-destination 127.0.0.1:8888

It but it still won't do it..

fukawi2 · 2020-04-23 07:13:14

Oops, it won't be hitting the PREROUTING chain either. You need it in the OUTPUT chain of the nat table.

Refer to this image the explains what packets go through with chains and tables: https://www.booleanworld.com/wp-content … iagram.png

light9876 · 2020-04-23 07:35:01

sudo iptables -t nat -I OUTPUT -p tcp --dport 80 -m comment --comment "transparent http proxy" -j DNAT --to-destination 127.0.0.1:8888

Thank you but this blocks access to all http sites, including whitelisted ones on tinyproxy.

I wonder why it works in the PREROUTING chain in the video..

fukawi2 · 2020-04-23 07:40:10

That suggests to me that the packets are being redirected properly now - perhaps the tinyproxy logs can shed some light on the problem. I've never used it, but my best guess is that it doesn't like receiving packets to 127.0.0.1 with a source address of 192.168.x.x (or whatever your machine's routable IP address is).

Just for clarity, can you post the output of iptables-save so we can look over them please?

light9876 wrote:

I wonder why it works in the PREROUTING chain in the video..

Because PREROUTING is for packets passing through the host, not packets created by the host.

I'm going home now so I won't be able to reply until tomorrow sorry.

light9876 · 2020-04-23 07:46:06

It's okay thank you for your effort.

This is the output of iptables-save, these configurations exist on another video by the same person:

*nat
:PREROUTING ACCEPT [80:5380]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [445:29380]
:POSTROUTING ACCEPT [427:26871]
-A OUTPUT -p tcp -m tcp --dport 80 -m comment --comment "transparent http proxy" -j DNAT --to-destination 127.0.0.1:8888
COMMIT

*filter
:INPUT DROP [73:4990]
:FORWARD DROP [0:0]
:OUTPUT DROP [441:27524]
-A INPUT -i lo -m comment --comment loopback -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment conntrack -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment PING -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
-A OUTPUT -o lo -m comment --comment loopback -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment conntrack -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m comment --comment PING -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m comment --comment HTTP -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m comment --comment HTTPS -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m comment --comment "DNS/TCP" -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m comment --comment "DNS/UDP" -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -m comment --comment NTP -j ACCEPT
COMMIT

Last edited by light9876 (2020-04-23 07:46:46)

light9876 · 2020-04-23 08:28:21

I'm trying to filter all TCP (http & https) connections using a whitelist.

First I started with tinyproxy, but I discovered today it cannot filter https. So I moved to Squid. I'm having problems with it so I just created another issue:

https://bbs.archlinux.org/viewtopic.php … 9#p1900369

I'm still a beginner in this so please excuse me.

Last edited by light9876 (2020-04-23 19:49:51)

light9876 · 2020-04-24 07:54:47

Is there a way I can disable internet access to my browser if it does not use the 128.0.0.1:8888 proxy? I think this would solve my problem.

Last edited by light9876 (2020-04-24 07:56:20)

fukawi2 · 2020-04-24 08:18:17

light9876 wrote:

Is there a way I can disable internet access to my browser if it does not use the 128.0.0.1:8888 proxy? I think this would solve my problem.

iptables -I OUTPUT -p tcp -m owner ! --uid-owner UID_OF_TINYPROXY -m multiport --dports http,https -j REJECT

You'll need to find the user/UID that the tinyproxy process is running under and substitute appropriately above. Also depending on your shell, you'll need to escape the exclamation mark (\!)

Arch Linux

#1 2020-04-22 21:34:14

[SOLVED] tinyproxy local http proxy

#2 2020-04-22 23:54:51

Re: [SOLVED] tinyproxy local http proxy

#3 2020-04-23 07:08:23

Re: [SOLVED] tinyproxy local http proxy

#4 2020-04-23 07:13:14

Re: [SOLVED] tinyproxy local http proxy

#5 2020-04-23 07:35:01

Re: [SOLVED] tinyproxy local http proxy

#6 2020-04-23 07:40:10

Re: [SOLVED] tinyproxy local http proxy

#7 2020-04-23 07:46:06

Re: [SOLVED] tinyproxy local http proxy

#8 2020-04-23 08:28:21

Re: [SOLVED] tinyproxy local http proxy

#9 2020-04-24 07:54:47

Re: [SOLVED] tinyproxy local http proxy

#10 2020-04-24 08:18:17

Re: [SOLVED] tinyproxy local http proxy

Board footer