coderrr

July 29, 2009

How to force Flash or any program to use a SOCKS proxy using Transocks and iptables in Linux

Filed under: linux, network — Tags: , — coderrr @ 5:18 pm

Shameless Plug: Force all of your applications through a high powered proxy-like tunnel with a VPN Service.

The Flash plugin for Linux does not respect any browser’s SOCKS proxy settings. This means sites which stream video through a protocol other than HTTP will go direct to the host rather than through your SOCKS proxy.

One way to force Flash or any program through a SOCKS proxy is to use iptables in combination with transocks_em.

First download transocks_em here: http://github.com/coderrr/transocks_em/tarball/master

To run it will require you to have ruby and the eventmachine gem (gem install eventmachine). Now that transocks is ready, we need to setup rules for iptables which will redirect our traffic to be handled by transocks. You can put the following rules in a sh script.

iptables_transocks.sh:

#!/bin/sh

LOCAL_NET=192.168.0.0/16

# Flush all previous nat rules, you might not want to include this line if you already have other rules setup
iptables -t nat --flush

iptables -t nat -X SOCKSIFY
iptables -t nat -N SOCKSIFY

# Exceptions for local traffic
iptables -t nat -A SOCKSIFY -o lo -j RETURN
iptables -t nat -A SOCKSIFY --dst 127.0.0.1 -j RETURN
iptables -t nat -A SOCKSIFY --dst $LOCAL_NET -j RETURN
# Add extra local nets here as necessary

# Only proxy traffic for programs run with group 'transocks'
iptables -t nat -A SOCKSIFY -m owner ! --gid-owner transocks -j RETURN

# Send to transocks
iptables -t nat -A SOCKSIFY -p tcp -j REDIRECT --to-port 1212

# Socksify traffic leaving this host:
iptables -t nat -A OUTPUT -p tcp --syn -j SOCKSIFY

Once you’ve created the script, run it:

chmod +x iptables_transocks.sh
sudo ./iptables_transocks.sh

Note, if you need to, you can clear out all these rules with:

sudo iptables -t nat --flush

The setup I have chosen here is to only proxy traffic for programs run with the group-id of group ‘transocks’. This makes it easy to socksify any program by just running it as a specific group. So the first thing we’ll want to do is create this group:

sudo addgroup transocks
sudo gpasswd transocks
# set an empty password

Next, we need to start transocks and point it to our socks server. Let’s assume our socks server is running at localhost:1080

ruby transocks_em.rb 127.0.0.1 1080 1212

Now that we have created the group with an empty password and started transocks we are ready to socksify whatever program we want:

sg transocks 'firefox'
sg transocks 'opera'
sg transocks 'lynx http://whatismyip.com'

sg (set group) will run the program with your current user but with the group you specify. This is a semi-non-invasive way of notifying iptables you want it to proxy the traffic from this program. Note that any files this program writes out will have the group of transocks. In most cases this won’t matter but you should be aware of this.

Although sg will prompt you for a password (even though you set a blank password), if you create an application launcher through your windowing system it should launch without having to respond to or seeing a prompt.

Note, if your kernel supports it, you can tell iptables to only proxy traffic for programs with certain names by using the -m owner --cmd-owner [cmd name] option. The other option is to use UIDs instead of GIDs (-m owner --uid-owner) to notify iptables which traffic to socksify. This of course means you’ll have to run programs as a different user which will probably cause you more pain.

So… a quick overview of how this will work. You start your browser with sg transocks ‘firefox’. Now when firefox tries to make a connection, linux will intercept it based on the iptables rules we have defined and forward the connection to transocks on port 1212. Transocks will then inspect the connection to determine its original address (for example hulu.com) and proxy it through the SOCKS server you specified. This will happen for any TCP connection coming out of firefox, even ones from Flash.

9 Comments »

  1. Any idea how this could be done on windows ? Flash seems to always use a direct connection regardless how i try to force it to use a proxy.

    Comment by Ros — August 16, 2009 @ 1:54 am

  2. check out sockscap or proxycap or any of the other socksification programs, windows has a bunch

    Comment by coderrr — August 16, 2009 @ 9:24 am

  3. it works like a charm
    many thanks!!!

    Comment by massive — January 18, 2010 @ 11:26 pm

  4. [...] i needed, was a way to route all nodes traffic via socks proxy. I googled a bit around and came to this post – nice information, but a bit over complicated and ruby files are not working (at least for [...]

    Pingback by My Lab :) » Skype behind firewall or tunneling packets through ssh — February 11, 2010 @ 12:48 am

  5. how to fix this problem i’m use centos 5.4 64bit

    root@centos [~/transocks]# ruby transocks_em.rb 127.0.0.1 1080 1212
    /usr/lib/ruby/gems/1.8/gems/eventmachine-0.12.10/lib/rubyeventmachine.so: [BUG] Segmentation fault
    ruby 1.8.7 (2009-06-08 patchlevel 173) [x86_64-linux]

    Aborted
    root@centos [~/transocks]#

    thanks before

    Comment by GhoHan — March 9, 2010 @ 11:11 pm

  6. Hi, i’s fixed by me… :)

    Now my i know how i’m add for udp connection because that sock just for tcp only

    Comment by GhoHan — March 10, 2010 @ 2:37 am

  7. Is there an easy way to also force the dns lookups by the application to be done through the proxy as well?? Thanks.

    Comment by JohnTheProfiter — April 27, 2010 @ 3:16 am

  8. flash don’t does what you want and you can’t adapt it to your needs, you have to adapt yourself to it; hence, you’re in control BY the software, you don’t control flash, flash controls you.

    That’s what you get by using proprietary software.

    Comment by Mario — December 29, 2010 @ 8:05 pm

  9. The transocks is not in the Ubuntu software center, is it safe

    Comment by rpmen — October 15, 2013 @ 5:01 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Silver is the New Black Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 27 other followers

%d bloggers like this: