# [SOLVED] Transparent Proxy... not stealth though...how

## Korr.ban

My config is:

Intel P1-mmx 233mhz

hda = Linux

hdb = PUB

eth0 = Outside world

eth1 = LAN

My server is running: 

dnsmasq - DHCP server and DNS cache server

iptables - incluedes a proper redirect to proxy

samba - file sharing accessible from LAN only

squid - Config below

sshd - accessible from LAN only

SQUID CONFIG

```
#### SQUID.CONF #### 

http_port 3128 

hierarchy_stoplist cgi-bin ? 

acl QUERY urlpath_regex cgi-bin \? 

no_cache deny QUERY 

refresh_pattern ^ftp: 1440 20% 10080 

refresh_pattern ^gopher: 1440 0% 1440 

refresh_pattern . 0 20% 4320 

acl all src 0.0.0.0/0.0.0.0 

acl manager proto cache_object 

acl localhost src 127.0.0.1/255.255.255.255 

acl to_localhost dst 127.0.0.0/8 

acl SSL_ports port 443 563 

acl Safe_ports port 80 

acl Safe_ports port 21 

acl Safe_ports port 443 563 

acl Safe_ports port 70 

acl Safe_ports port 210 

acl Safe_ports port 1025-65535 

acl Safe_ports port 280 

acl Safe_ports port 488 

acl Safe_ports port 591 

acl Safe_ports port 777 

acl Safe_ports port 901 

acl purge method PURGE 

acl CONNECT method CONNECT 

http_access allow manager localhost 

http_access deny manager 

http_access allow purge localhost 

http_access deny purge 

http_access deny !Safe_ports 

http_access deny CONNECT !SSL_ports 

http_access allow all 

http_reply_access allow all 

icp_access allow all 

httpd_accel_host virtual 

httpd_accel_port 80 

httpd_accel_with_proxy on 

httpd_accel_uses_host_header on 

httpd_accel_single_host on 

visible_hostname HOMER.SIMPSONS.SPRINGFIELD

### END ### 

```

IPTABLES PROXY CODE:

```
iptables -t nat -A PREROUTING -i $INT_INTERFACE -p tcp --dport 80 -j REDIRECT --to-port 3128 

```

When I go to test my proxy to http://stealthtests.lockdowncorp.com/cgi-bin/proxy

I get the following output:

 *Quote:*   

> REMOTE_ADDR: *MY REAL IP ADDRESS*
> 
> If this field shows your REAL IP address, you are either not stealthed or connected to an anonymous proxy. For total stealth sign up with a proxy service. If you are using a proxy, check your proxy configuration and run the test again. 
> 
> REMOTE_HOST: *MY ISP PROVIDED HOSTNAME*
> ...

 

This doesnt look like its very stealth.  Can anyone suggest anything... Mabe you know what im missing.

Note: Internet explorer is set to use proxy=192.168.0.1 Port=3128

Does anyone get a TRUE STEALTH result when they do a test on http://stealthtests.lockdowncorp.com/cgi-bin/proxy ?

Also, it looks like my real hostname shows up. How do I make HOMER.SIMPSONS.SPRINGFIELD showup as my hostname?

Thanks.

----------

## Jeremy_Z

I am using almost the same config as you, and got the same result.

Just explore the squid.conf and you will see some options that can be used, for example :

```

#  TAG: forwarded_for   on|off

#       If set, Squid will include your system's IP address or name

#       in the HTTP requests it forwards.  By default it looks like

#       this:

#

#               X-Forwarded-For: 192.1.2.3

#

#       If you disable this, it will appear as

#

#               X-Forwarded-For: unknown

#

#Default:

# forwarded_for on

forwarded_for off

```

will solve : 

HTTP_X_FORWARDED_FOR: 192.168.0.10

If this shows your REAL IP address or domain name, you are not using an ANONYMOUS proxy server. In the test, on my proxy server "unknown" is displayed in this field which is REALLY good!

Or use :

```

Or, to reproduce the old 'http_anonymizer paranoid' feature

       you should use:

               header_access Allow allow all

               header_access Authorization allow all

               header_access WWW-Authenticate allow all

               header_access Cache-Control allow all

               header_access Content-Encoding allow all

               header_access Content-Length allow all

               header_access Content-Type allow all

               header_access Date allow all

               header_access Expires allow all

               header_access Host allow all

               header_access If-Modified-Since allow all

               header_access Last-Modified allow all

               header_access Location allow all

               header_access Pragma allow all

               header_access Accept allow all

               header_access Accept-Charset allow all

               header_access Accept-Encoding allow all

               header_access Accept-Language allow all

               header_access Content-Language allow all

               header_access Mime-Version allow all

               header_access Retry-After allow all

               header_access Title allow all

               header_access Connection allow all

               header_access Proxy-Connection allow all

               header_access All deny all

```

And only REMOTE_ADDR and REMOTE_HOST will remain.

(currently i am looking for the way to hide them)

----------

## Korr.ban

Thanks for that great info. Keep working on making it completely hidden. I am also working on that except that I am looking into DNS info. If you come up with anything make sure to PM me... I will do the same for you if I find anything.

Thanks.

----------

## Jeremy_Z

You'd better post it here, could be useful for anyone.

Also the header_access i gave will disable cookies, you will have to add 

```

header_access Cookie allow all

header_access Set-Cookie allow all

```

I don't think you can hide REMOTE_ADDR or REMOTE_HOST, at least you will have the addr and hostname of your proxy, not those of your browsing machine.

Also, you don't need to set-up any proxy settings since you have the iptables rule.

You can take a look at this page : https://www.grc.com/x/ne.dll?bh0bkyd2 for security tests (and a link that print http header).

----------

## Korr.ban

 *Jeremy_Z wrote:*   

> You'd better post it here, could be useful for anyone.
> 
> 

 

I will do that and PM you too so you know there is some new info.

You may be able to change hostname to something like YOU.THERE.ME.HERE

I have seen people using such hostnames. I think it is with DNS. I am reading the howto today so I should have some answors by the end of the day.

Here is the answor:

https://forums.gentoo.org/viewtopic.php?p=1369147#1369147

----------

## Jeremy_Z

It is reverse DNS indeed, and i think it is provided by your ISP, so don't think you can change it.

But again it the reverse DNS of your proxy IP, thus you can use an external proxy (those anonymizer proxy available on the net) to hide your real IP/hostname.

----------

## Korr.ban

 *Jeremy_Z wrote:*   

> 
> 
> But again it the reverse DNS of your proxy IP, thus you can use an external proxy (those anonymizer proxy available on the net) to hide your real IP/hostname.

 

Im not that crazy about security to pay $24 / month for those. Unless you find a REALLY good free one. Post it here if you do. I will check some of them out too.

----------

## RedDawn

 *Korr.ban wrote:*   

>  *Jeremy_Z wrote:*   
> 
> But again it the reverse DNS of your proxy IP, thus you can use an external proxy (those anonymizer proxy available on the net) to hide your real IP/hostname. 
> 
> Im not that crazy about security to pay $24 / month for those. Unless you find a REALLY good free one. Post it here if you do. I will check some of them out too.

 

Yes the isp take care of Reverse DNS you cant change that unless you in to pay some mula...  $100 and up! to be exact!

----------

## Jeremy_Z

I don't know any and i am not interested in using such a proxy anyway. But then hiding your IP is impossible : it is part of the tcp, and the server would not be able to answer you if it was not provided.

Changing your hostname is also impossible unless your ISP permits you to do so.

----------

## sammy2ooo

great thread  :Smile: 

one more question, is it possible to disable the via tag? couldnt find anything within the docu 

 *Quote:*   

> 
> 
> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> 
> Accept-Language: en-us,en;q=0.5
> ...

 

thx

----------

## sammy2ooo

hm the following did it, but which one exactly??!?!

 *Quote:*   

> 
> 
>                 header_access Allow allow all
> 
>                 header_access Authorization allow all
> ...

 

----------

