# Transparent proxy for non-http tcp/ipv4 applications

## Bircoph

Hello,

I have the following network setup: internet access is provided through http proxy only. Practically this is squid with plaintext authorization, it is not transparent, it accept only requests on tcp port 3128, all other are blocked, but it allows CONNECT method to connect to all ports.

What I want to do is to make connection through this proxy as transparent as possible, at the best all tcp/ipv4 applications, even non proxy aware should work fine.

Currently I set up transparent proxy on my local host via squid in transparent mode and iptables -j REDIRECT target. Thus all http traffic works transparently, I do not need to configure each program I use and to login each time on the proxy: my local squid does this for me. Also I configured several proxy aware applications like subversion and configured ssh using corkscrew to auth and work trough my provider's proxy.

But I have one big problem: redirection through local squid in transparent mode works only for requests on port 80. Squid can't handle other requests this way, especially if they are non-http. Reason is obvious: squid is not intended for this work and there is no enough data after -j REDIRECT to do this. Thus hundreds of non proxy capable applications can't operate properly.

Solutions like net-misc/httptunnel are unacceptable because I have no system on the outside to establish tunnel with. Solutions like prtunnel or net-misc/corkscrew can only tunnel connection to specified client and port, thus are unacceptable for any application which dynamically open new connections to new hosts and ports.

In theory my problem can be solved. I see at least two solutions:

1) Write some daemon listening port N. Redirect all traffic to this port via iptables. Before -j REDIRECT dump packet to the userspace using -j NFQUEUE, intercept it with the daemon, extract original destination ip and port, find this packet is the backet (or wait until it arrives). If this is new connection, connect and authorize on provider's proxy, use CONNECT proxy command, then open a socket and transfer data, otherwise transfer data through already open circuit.

2) The same as above, but create virtual interface (via tun/tap) and use auth and CONNECT on provider's proxy on per-needed basis, then just route to this interface as to default router. Of course, this will work only for tcp and all other protocols like udp and icmp may be forgotten.

I prefer the second approach, but both of them requires a lot of work to be done.

Does anyone knows already existing projects implementing this? Or maybe someone has a better idea what to do? But, please, don't say something like "change your provider" or "ask your provider to configure here and there": changes in provider's behavior are out of even tinyest possibility neither I can change provider.

----------

## erik258

 *Quote:*   

> Or maybe someone has a better idea what to do?

 

To what purpose are you proxying these services?  If you simply want to allow all connections why not a firewall and NAT?  I fail to see the fundamental goal behind what you're doing.

----------

## Hu

His upstream provider has a very restrictive egress firewall, so he cannot connect to most services via the normal process.  However, the provider operates a Squid and has failed to secure it, so he wants a wrapper that can take an arbitrary application, capture the connection, connect to the Squid, and trick the Squid into opening the required connection.  This would allow use of applications that are not natively proxy aware, despite the configuration of the upstream provider.

----------

## malern

I've not tried this, but you could try running mocks which is a socks server with the ability to forward connections through a http proxy (e.g. squid). You could then use net-proxy/tsocks or net-misc/ksb26 to redirect everything to the socks server. So you'd end up with something that looks like

app -> tsocks|ksb26 -> mocks -> squid -> host

It's not ideal, but it should work. Personally I think you should implement your TUN system, sounds like it'd be a really cool project.

[EDIT]

Just found transocks. I know it says it's for SOCKS proxies, but it links against the dante libs, which actually supports both socks and http proxies.

Pity it's not in portage.

----------

## Bircoph

Sorry for late reply, I was too busy these days. Thank you all for your replies.

I found net-misc/proxychains. Technically it is the same function call interception via LD_PRELOAD as in tsocks, but it allows direct access to HTTP CONNECT proxy, thus additional element in chain like mocks is needed no longer.

I tested proxychains for different type of connections including svn (not via http), pop3, smtp and torrents. It seems to work ok, however, provider's proxy seems to limit rate of new connections, so it takes some time for ctorrent to perform peer negotiation.

However, LD_PRELOAD technique has its own limitations: it is local and you cannot use it for SUID applications if you are not root. And for some applications you should actually add LD_PRELOAD not for them, but for slaves they use, e.g. to route kmail through this proxy, kdeinit should be started with proper LD_PRELOAD.

transocks solution is unacceptable, because dante does not support authorization on parent proxy, at least I can't find in the config/docs/google how to do this.

Solution with virtual interface will be good to proxy other machines behind this type of proxy, but for local processes LD_PRELOAD is sometimes preferrable. In fact I have two providers and the second one is in question, so I want to route only selected applications to it.

A friend of my already started proxyiface project to create virtual network interface for http connect proxy, I hope I'll join him later.

----------

## Hu

According to man ld.so, you could use /etc/ld.so.preload if you want to preload into every process.  Also, from the same man page:

```
For  set-user-ID/set-group-ID  ELF  binaries,  only libraries in the standard search directories that are also  set-user-ID will be loaded.
```

----------

## Bircoph

 *Hu wrote:*   

> According to man ld.so, you could use /etc/ld.so.preload if you want to preload into every process.
> 
> 

 

This is unacceptable. As I said before, I want to route only selected applications. Actually I have two providers and mine network setup is significantly complicated than described above, but this is irrelevant to the original question.

 *Quote:*   

> 
> 
> Also, from the same man page:
> 
> ```
> ...

 

Thanks, I missed that somehow.

----------

