The Flash plugin for Linux does not respect any browser’s SOCKS proxy settings. This means sites which stream video through a protocol other than HTTP will go direct to the host rather than through your SOCKS proxy.
One way to force Flash or any program through a SOCKS proxy is to use iptables in combination with transocks.
First download my transocks+dante tarball here: http://github.com/coderrr/transocks/tarball/master
Unpack that, and then simply run make. This will compile dante (which contains a SOCKS client library that transocks depends on), and then compile transocks with that library.
Now that transocks is ready, we need to setup rules for iptables which will redirect our traffic to be handled by transocks. You can put the following rules in a sh script.
iptables_transocks.sh:
#!/bin/sh LOCAL_NET=192.168.1.0/24 # Flush all previous nat rules, you might not want to include this line if you already have other rules setup iptables -t nat --flush iptables -t nat -X SOCKSIFY iptables -t nat -N SOCKSIFY # Exceptions for local traffic iptables -t nat -A SOCKSIFY -o lo -j RETURN iptables -t nat -A SOCKSIFY --dst 127.0.0.1 -j RETURN iptables -t nat -A SOCKSIFY --dst $LOCAL_NET -j RETURN # Add extra local nets here as necessary # Only proxy traffic for programs run with group 'transocks' iptables -t nat -A SOCKSIFY -m owner ! --gid-owner transocks -j RETURN # Send to transocks iptables -t nat -A SOCKSIFY -p tcp -j REDIRECT --to-port 1211 # Socksify traffic leaving this host: iptables -t nat -A OUTPUT -p tcp --syn -j SOCKSIFY
Once you’ve created the script, run it:
chmod +x iptables_transocks.sh sudo ./iptables_transocks.sh
Note, if you need to, you can clear out all these rules with:
sudo iptables -t nat --flush
The setup I have chosen here is to only proxy traffic for programs run with the group-id of group ‘transocks’. This makes it easy to socksify any program by just running it as a specific group. So the first thing we’ll want to do is create this group:
sudo addgroup transocks sudo gpasswd transocks # set an empty password
Next, start up transocks
# -f means run in foreground ./transocks -f
Now that we have created the group with an empty password and started transocks we are ready to socksify whatever program we want:
sg transocks 'firefox' sg transocks 'opera' sg transocks 'lynx http://whatismyip.com'
sg (set group) will run the program with your current user but with the group you specify. This is a semi-non-invasive way of notifying iptables you want it to proxy the traffic from this program. Note that any files this program writes out will have the group of transocks. In most cases this won’t matter but you should be aware of this.
Although sg will prompt you for a password (even though you set a blank password), if you create an application launcher through your windowing system it should launch without having to respond to or seeing a prompt.
Note, if your kernel supports it, you can tell iptables to only proxy traffic for programs with certain names by using the -m owner --cmd-owner [cmd name] option. The other option is to use UIDs instead of GIDs (-m owner --uid-owner) to notify iptables which traffic to socksify. This of course means you’ll have to run programs as a different user which will probably cause you more pain.
Any idea how this could be done on windows ? Flash seems to always use a direct connection regardless how i try to force it to use a proxy.
Comment by Ros — August 16, 2009 @ 1:54 am
check out sockscap or proxycap or any of the other socksification programs, windows has a bunch
Comment by coderrr — August 16, 2009 @ 9:24 am