Because the rule
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
with a DROP
policy on the OUTPUT
chain requires two things which are highly relevant here:
- The connection must already have been established
- The source port must be 80/tcp
Source ports below 1024 are privileged, and generally aren't used for outgoing connections even when the socket owning process is running as root. You are more likely to see a high source port number going out, well above 30000 seems to be common.
There is also no way to establish a connection, since the only outgoing traffic that is allowed must be related to an already established connection.
Hence, in practice, nothing can match this rule.
Try instead:
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
which should allow any outbound connections to destination TCP port 80 where the traffic is routed through eth0, which is much more in line with what you want.
And then as has been pointed out, don't forget about HTTPS, DNS, ...
Assuming you mean to access an external SOCKS proxy from windows, here you go. If you meant setting up a SSH server in windows, cygwin can do this with sshd
.
In windows, cygwin makes this easy, but if you don't have cygwin already, here are PuTTY instructions.
Set it up like this:
replace port 2222 with 22 or whatever your port for SSH is. Leaving it blank should work too. 22 is the default, but I had it on a non-standard port. Replace 127.0.0.1 here with your actual address.
Here, LEAVE the 127.0.0.1 where it is. It is SUPPOSED to be there. You can change 8080 to whatever port you want the SOCKS proxy on.
Be sure to set the login username to whatever yours is. Mine is 'mobile' on my iphone, which I was using when i made this example for the apple stack exchange.
If you want, you can then save a profile for this, to avoid setting it all back up each time you have a problem. This is done in the 'session' section at the very top.
Linux/Unix/BSD/Solaris/OSX/HP-UX/whatever I'm still missing
You can run ssh -D 8080 user@address
Now, you need to open your web browser of choice; I use firefox, so I will use it as an example. I have used chrome and opera, but as I do not like them and do not currently have them installed, I cannot presently use it for an example. But you set it up as a SOCKS proxy, regardless of browser.
These screenshots were done with a forwarded X11, so the fonts are ugly, but pay it no mind.
First, go to the preferences window (tools -> options
or edit -> preferences
, depending on OS). Then, go to Advanced -> Network -> Settings...
.
Use the following configuration for the browser.
Problems and Solutions
Problem:
My app doesn't allow setting a SOCKS proxy.
Solution:
I have had this problem with games like Minecraft. Here's some fixes.
For minecraft, I added a argument to ssh
. I regularly play on the nerd.nu reddit minecraft servers (reddit.com/r/mcpublic). Since minecraft 1.6, SSH tunneling and SOCKS proxies set as command line arguments haven't worked. You used to be able to add java parameters -DSocksProxyHost=127.0.0.1 -DSocksProxyPort=8080
and it would work. Now, however, the solution isn't quite as nice, but it does work.
When you start ssh
, instead of ssh -D 8080 user@address
, do
ssh -D 8080 -L 127.0.0.1:25565:p.nerd.nu:25565 user@address
.
Then, when you want to connect to the server, instead add the URL 127.0.0.1:25565
to your list of servers! The remote server will appear on 127.0.0.1/localhost thanks to the miracle of SSH tunneling!
For other programs/games, the same rule applies. If you can't set a SOCKS proxy and nothing else works, just add -L 127.0.0.1:<port>:<remote URL to access>:<remote port>
.
There is nothing forcing you to use the same port on 127.0.0.1
that you would normally, so I could have, for example, mapped p.nerd.nu:25565
to 127.0.0.1:1025
and the game wouldn't care as long as I specified the port. Not all programs are so lenient, but it's useful to remember.
Best Answer
I have a similar set up.
wlan0
is connected to the internet (through my router) whilewlan1
acts as a hotspot (Access Point) for my Android phone.wlan1
is set up with ipv4 address10.0.0.1/24
that is my phone gets ip address in the10.0.0.x
range.The iptables rule I use to pass all traffic from my phone through redsocks is:
sudo iptables -t nat -A PREROUTING -s 10.0.0.0/24 -p tcp -j REDIRECT --to-ports 12345
As far as I understand it this rule basically takes all tcp traffic from any source device with address
10.0.0.0/24
and redirects it to the12345
port which passes it throughredsocks
.