I am using a transparent proxy on my router (linksys wrt1200ac) but it only affects the packets coming from LAN (WiFi and LAN) but not for a process running on the router.
this is the firewall commands:
iptables -t nat -N TorTransPort;
iptables -t nat -A TorTransPort -d 0.0.0.0/8 -j RETURN;
iptables -t nat -A TorTransPort -d 10.0.0.0/8 -j RETURN;
iptables -t nat -A TorTransPort -d 127.0.0.0/8 -j RETURN;
iptables -t nat -A TorTransPort -d 169.254.0.0/16 -j RETURN;
iptables -t nat -A TorTransPort -d 172.16.0.0/12 -j RETURN;
iptables -t nat -A TorTransPort -d 192.168.0.0/16 -j RETURN;
iptables -t nat -A TorTransPort -d 224.0.0.0/4 -j RETURN;
iptables -t nat -A TorTransPort -d 240.0.0.0/4 -j RETURN;
iptables -t nat -A TorTransPort -d 192.168.1.1/32 -j RETURN;
iptables -t nat -A TorTransPort -m set --match-set myfilterset dst -p tcp --dport 80 -j REDIRECT --to-port 9040;
iptables -t nat -A TorTransPort -m set --match-set myfilterset dst -p tcp --dport 443 -j REDIRECT --to-port 9040;
iptables -t nat -A PREROUTING -p tcp -m multiport --dports 80,443 -j TorTransPort;
is there anyway to have that too?
I think prerouting only work on incoming connection(not local ones) but I am not a iptable pro so I don't know the way to fix this.
Here you send the http/s packets to TorTransport chain.
iptables -t nat -A OUTPUT -m set --match-set myfilterset dst -p tcp --dport 443 -j REDIRECT --to-port 9040
So basically this should be already in the TorTransport chain from the PREROUTING rules and not in OUTPUT. Right?
But how do you differentiate the traffic that originates from the router from the traffic that originates from the proxy process of the router? The traffic of the proxy will also be subject to redirect on OUTPUT the way I see it. So eventually you'll have an endless loop.
I didnt issue two OUTPUT chains .
it was one and later changed a bit.
"
iptables -t nat -A OUTPUT -p tcp -m multiport --dports 80,443 -j TorTransPort
iptables -t nat -A OUTPUT -m set --match-set myfilterset dst -p tcp --dport 443 -j REDIRECT --to-port 9040
"
the second one I used to see it I didnt use my own totransport chain,would it work.
I only use one.
because in that page the was pointed linked to me, it says that I have to use either postrouting or output for nat.
and redirect doesnt work on postrouting.
the proxy process is Tor which uses other port thatn 80 and 443.
and the ipset I use doesnt include tor endpoint, but sites like youtube and so on that are blocked in my country.
I am sorry but have you tested that on an actual site?
I tested with youtube on port 80 and 443 and it didnt work.
the tcpdump that you show only shows that the port changed to 8080 and ip to localhost but this is not always the desired result.
for example if I redirect a site by changing its packet destination ip and port to localhost and port of Tor proxy ,it may not work if I just change the port and ip and not correctly use DNAT so that tor know that I am acutally not trying to talk to it but use it to proxy to the actual domain.
what I am saying is maybe the iptable command that is used destroys the actual destination info (sorry I dont know how to correctly say this) and tor see the packed trying to connect to localhost on port 443 and not see the actual eventual domain.
DNAT and REDIRECT do more or less the same thing. Rewrite the destination IP and PORT of the packet. In DNAT case, you can rewrite to any IP, in REDIRECT it rewrites to the device itself.
The vital information of the http/s part is inside the data part of the packet, so a proxy can understand which server to query on behalf of the host.
I am not 100% sure but I dont think that is correct.
but I am not informed enough to argue with you.
but I know that If I change a destination ip of a packet and send it to Tor it doesnt matter the https part and tor doesnt redirect it to the correct domain.
but enough of that argument.
my issue is still present and the iptable command doesnt redirect youtube(test domain I use) through tor proxy.
so any idea how to get that working?
how do I quote when I anwser so that I give the correct answer to correct post?
about the ssl fail, I am happily using https transparent proxy and it works.
it work for the clients that connect to router via wifi or lan.
my issue is getting it working for connections originating from openwrt router itself too.
what I meant by actual domain was that ,did you test with transparent proxy and actual domain and a connection to that domain from the router itself.
also about the headpost I used a small description in title and that was not correct, but I did describe the whole issue in the post.
EDIT: changed the title,
Just click to highlight the part you want to quote and hit the quote button.
Then you should not rewrite the destination field, rather than make a routing decision that the packet will be forwarded to the tor tunnel instead of your ISP.
The main issue here is that you don't explain properly what you have and what you want to achieve.
You keep using the word proxy, while it is a tor tunnel. The proxy can understand where the packet is heading to, even if the destination IP in the header is not the one of the server. Tunnels on the other hand don't.
As suggested by @vgaetera, tcpdump is your friend there.
I am sorry if I was not clear about my issue.
my issue is this.
I use tor in transparent mode and use nat table and prerouting chain to redirect my connections to some domains(IPs) through the the tor (running on openwrt on port 9040).
now as seen in my iptable commands the packets that are originating from my lan and are for example going to youtube.com get routed through tor( routed as in go through it with the redirect command and tor understand the destination without me doing anything to my browsers, so transparently).
but I cant make this happen for connections originating from the router to youtube.
that is all of my issue.