OUR NETWORK:TiVo Community TechLore Explore3DTV DVRplayground Dijit Community See all... About UsAdvertiseContact Us

Privoxy Proxy 'Transparent Mode' problem...

 
Learn about scoring Download Discussion's Raw Score: 274311.0
September 24, 2011 03:44 PM
Rating (0 votes)
  • 1
  • 2
  • 3
  • 4
  • 5
Rate This!

Member Avatar

derek

Member

I’m trying out the Kong Mod OpenVPN/Proxy (build 17670) on my Asus RT-N16.

Having troubles with the Privoxy transparent mode though. Works great when I have proxy settings setup on each box to 192.168.1.1:8118, but I can’t seem to get it working when no proxy is setup and checking ‘transparent mode’. Doesn’t go through the proxy at all.

Tried resetting everything, with a custom configuration and without, no luck… anything suggestions?

Discussion:    Add a Comment | Comments 1-9 of 9 | Latest Comment

Kong Avatar
Member
September 27, 2011 1:46 PM

Hi derek,

transparent mode in my build works the following way. Once transparent mode is activated there will be an iptables rule in nat chain that redirects all outgoing over br0 to privoxy.
This should work for common setups. But if someone has a setup e.g. without br0 or does not use nat feature, than this rule won't work and you have to manually create a redirecting rule specific for your setup.

A second problem could be if you are running custom firewall scripts, that delete my rule.

Anyways, even if you are creating custom rules to redirect client traffic to port 8118 on the router you still need to activate the option for transparent mode as this will also set accept-intercepted-requests to one otherwise privoxy will not accept redirects.

Generic Member Avatar
Member
  • member since: 09/24/2011
  • rank: 831 of 28504
  • 3 comments
September 27, 2011 8:41 PM

Hey, thanks for the reply Kong!

Anyway, I changed the ‘accept-intercepted-requests’ to 1… no help though.

I haven’t done anything special – this is pretty much from a stock flash. No extra firewall rules or anything. I haven’t changed anything to do with br0 or anything – and the clients are NATed.

I checked the nat rules before and after checking transparent – but nothing changes here? (maybe this is the wrong command to check)

Also, here’s the network config.  

Kong Avatar
Member
September 28, 2011 12:43 PM

Ok, it seems like there is a bug somewhere.

Can you check the output of:

nvram get privoxy_transp_enable

it should be 1. If that is ok, then please call the privoxy startup script:

/etc/config/privoxy.startup

now check again if :

iptables -L -t nat

list the rule:

REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 8118

Kong Avatar
Member
September 28, 2011 4:25 PM

I was just able to reproduce this, it's a bug indeed.
I'll keep you updated on this.

Generic Member Avatar
Member
  • member since: 09/24/2011
  • rank: 831 of 28504
  • 3 comments
September 28, 2011 6:37 PM

Kong said: I was just able to reproduce this, it's a bug indeed. I'll keep you updated on this.

Sounds good!

Just in case you need it, yes the output of 'nvram get privoxy_transp_enable' is '1'

Also, after running privoxy.startup it looks like the rules were inserted - and transparent mode works! So it's just not running this script on startup I'm assuming?

Kong Avatar
Member
September 29, 2011 12:51 AM updated: September 29, 2011 12:52 AM

It has been running the script, but the script sometimes is too fast and completes before dd-wrt firewall creates its rules, so they get wiped out.

I already fixed this in my code and moved the firewall rule from the script to the proper place inside the firewall service.

Besides that the https redirect is nonsense, this won't work. https cannot be redirected.

Thus there will be new builds by the weekend.

Kong Avatar
Member
September 29, 2011 8:49 AM

Ok, download the updated builds: http://www.myopenrouter.com/forum/thread/31294/Kong-Mod-Update-build-17670/

Generic Member Avatar
Member
  • member since: 09/24/2011
  • rank: 831 of 28504
  • 3 comments
September 29, 2011 8:15 PM

Kong said: Ok, download the updated builds: http://www.myopenrouter.com/forum/thread/31294/Kong-Mod-Update-build-17670/

Works! Thanks Kong! Laughing

Another question, not really related to your build... This is due to my lack of knowledge regarding iptables. But would you happen to know why the command:

iptables -I INPUT -s x.x.x.x -j DROP

Works properly when transparent mode is disabled (just drops incoming) – but when transparent mode is enabled it will block both incoming & outgoing. I have a few rules that block incoming IP blocks for certain countries – but when I enable transparent mode it will block outgoing access too, so I can’t connect to websites.

Kong Avatar
Member
September 30, 2011 3:24 AM

This is probably a problem with the iptables script that does the country blocking. For iptables the ordering of rules is important. When a package comes in iptable will check the rules from top to button, if one rules says it's ok to pass, the rest of the rules will not be checked anymore and if one says to drop them it gets dropped without checking the other rules.

You can basically set the redirect rule for transparent mode in the script you use for country blocking, this would be the easiest way to influence the rule ordering.


To check what is wrong you can run:

iptables -L

iptables -L -t nat

I'd do this once after reboot, with transparent mode and once without you can then compare and check if there is some difference in ordering, besides the extra redirect rule that is inserted in transparent mode.

Discussion:    Add a Comment | Back to Top | Comments 1-9 of 9 | Latest Comment

Add Your Reply

(will not be displayed)

Email me when comments are added to this thread

 
 

Please log in or register to participate in this community!

Log In

Remember

Not a member? Sign up!

Did you forget your password?

You can also log in using OpenID.

close this window
close this window