Saturday, 16 February 2019

linux - redirect traffic from bridge to http proxy


If I create a new instance of an ethernet bridge:


# brctl addbr br1
# ip link set dev br1 up
# ip addr add 10.100.100.1/24 dev br1

Start tinyproxy listening on localhost on its default port 8888:


# tinyproxy

With firejail create a new network namespace and connect it to the bridge:


# firejail --net=br1 /bin/bash

How would I then route traffic through the bridge to tinyproxy, so that, e.g., curl will fetch a Web page from within the firejail sandbox:


# curl --proxy http://10.100.100.1:8888 http://wtfismyip.com/text

Answer



The following command is useful to flush/delete chains and disable ufw:


# /lib/ufw/ufw-init flush-all

Create an ethernet bridge:


ext_if="enp8s8"
bridge="brtp8888"
proxy_port="8888"  # tinyproxy default

brctl addbr "${bridge}"
ip link set dev "${bridge}" up
ip addr add 10.100.100.1/24 dev "${bridge}"
# Allow the bridge to route traffic to localhost
sysctl net.ipv4.conf."${bridge}".route_localnet=1

Route tcp traffic directed at port 8888 of the bridge through to tinyproxy:


iptables -t nat -A PREROUTING -i "${bridge}" -p tcp -j DNAT --to-destination 127.0.0.1:"${proxy_port}"
iptables -t nat -A POSTROUTING -s 10.100.100.0/24 -o eth0 -j MASQUERADE

(N.B. The above was adapted from Firejail with Tor HOWTO.)


Tinyproxy restricts connections to localhost unless there is a configuration line otherwise, edit /etc/tinyproxy.conf:


Allow 10.100.100.0/24

A more complete set of iptables rules:


iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i "${bridge}" -p tcp --dport "${proxy_port}" -j ACCEPT
iptables -t nat -A PREROUTING -i "${bridge}" -p tcp -j DNAT --to-destination 127.0.0.1:"${proxy_port}"  # tinyproxy default
iptables -t nat -A POSTROUTING -s 10.100.100.0/24 -o eth0 -j MASQUERADE

The ufw equivalent:


## Copy the following into /etc/ufw/before.rules (see man ufw-framework, 'Port Redirections')
# *nat
# :PREROUTING ACCEPT [0:0]
# -A PREROUTING -p tcp -i brtp8888 --dport 8888 -j DNAT \
#   --to-destination 127.0.0.1:8888
# COMMIT
# *nat
# :POSTROUTING ACCEPT [0:0]
# -A POSTROUTING -s 10.100.100.0/24 -o eth0 -j MASQUERADE
# COMMIT

ufw allow in on "${bridge}" from 10.100.100.0/24 proto tcp

See also this post Firejail and connecting to the Internet through an host OpenVPN client.


If someone can explain why creating a bridge as outlined above, opening a sandbox running firefox with --net=br1 and setting Firefox's HTTP Proxy to the gateway IP (i.e., br1, any port) also works I'd be interested to know.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...