Shameless Plug: Force all of your applications through a high powered proxy-like tunnel with a VPN Service.
The Flash plugin for Linux does not respect any browser’s SOCKS proxy settings. This means sites which stream video through a protocol other than HTTP will go direct to the host rather than through your SOCKS proxy.
One way to force Flash or any program through a SOCKS proxy is to use
iptables in combination with
First download transocks_em here: http://github.com/coderrr/transocks_em/tarball/master
To run it will require you to have ruby and the eventmachine gem (
gem install eventmachine). Now that transocks is ready, we need to setup rules for iptables which will redirect our traffic to be handled by transocks. You can put the following rules in a sh script.
#!/bin/sh LOCAL_NET=192.168.0.0/16 # Flush all previous nat rules, you might not want to include this line if you already have other rules setup iptables -t nat --flush iptables -t nat -X SOCKSIFY iptables -t nat -N SOCKSIFY # Exceptions for local traffic iptables -t nat -A SOCKSIFY -o lo -j RETURN iptables -t nat -A SOCKSIFY --dst 127.0.0.1 -j RETURN iptables -t nat -A SOCKSIFY --dst $LOCAL_NET -j RETURN # Add extra local nets here as necessary # Only proxy traffic for programs run with group 'transocks' iptables -t nat -A SOCKSIFY -m owner ! --gid-owner transocks -j RETURN # Send to transocks iptables -t nat -A SOCKSIFY -p tcp -j REDIRECT --to-port 1212 # Socksify traffic leaving this host: iptables -t nat -A OUTPUT -p tcp --syn -j SOCKSIFY
Once you’ve created the script, run it:
chmod +x iptables_transocks.sh sudo ./iptables_transocks.sh
Note, if you need to, you can clear out all these rules with:
sudo iptables -t nat --flush
The setup I have chosen here is to only proxy traffic for programs run with the group-id of group ‘transocks’. This makes it easy to socksify any program by just running it as a specific group. So the first thing we’ll want to do is create this group:
sudo addgroup transocks sudo gpasswd transocks # set an empty password
Next, we need to start transocks and point it to our socks server. Let’s assume our socks server is running at localhost:1080
ruby transocks_em.rb 127.0.0.1 1080 1212
Now that we have created the group with an empty password and started transocks we are ready to socksify whatever program we want:
sg transocks 'firefox' sg transocks 'opera' sg transocks 'lynx http://whatismyip.com'
sg (set group) will run the program with your current user but with the group you specify. This is a semi-non-invasive way of notifying iptables you want it to proxy the traffic from this program. Note that any files this program writes out will have the group of transocks. In most cases this won’t matter but you should be aware of this.
sg will prompt you for a password (even though you set a blank password), if you create an application launcher through your windowing system it should launch without having to respond to or seeing a prompt.
Note, if your kernel supports it, you can tell iptables to only proxy traffic for programs with certain names by using the
-m owner --cmd-owner [cmd name] option. The other option is to use UIDs instead of GIDs (
-m owner --uid-owner) to notify iptables which traffic to socksify. This of course means you’ll have to run programs as a different user which will probably cause you more pain.
So… a quick overview of how this will work. You start your browser with sg transocks ‘firefox’. Now when firefox tries to make a connection, linux will intercept it based on the iptables rules we have defined and forward the connection to transocks on port 1212. Transocks will then inspect the connection to determine its original address (for example hulu.com) and proxy it through the SOCKS server you specified. This will happen for any TCP connection coming out of firefox, even ones from Flash.