Linux – How to set up a hotspot with socks5 proxy

iptableslinuxnetworkingPROXYsocks

I have a laptop with linux installed on it. The laptop has two network interfaces: eth0 and wlan0. Normally I surf the Internet through eth0, and I've successfully set up a hotspot in linux for my kindle to use. Important codes are as follows:

# Enable NAT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Run access point daemon
sudo hostapd /etc/ap-hotspot.conf

Usually I would like to surf the Internet through an encrypted socks5 proxy: 127.0.0.1:10000, and I want the proxy system-wide, so I installed redsocks, which can redirect all the TCP connections to the socks5 proxy. Important codes are as follows:

#redsocks requires all the data to be redirected to port 12345, and the socks5 address and port(127.0.0.1:10000) has been written to redsocks's configuration file.
sudo iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 12345

So far, It seems everything works great. My kindle can connect to the hotspot, and I can surf the Internet through a system-wide proxy in linux. The problem is, my kindle bypasses the socks5 proxy and connects to the Internet directly. So how to make my kindle go through the proxy when using the hotspot? I mean, how to do it in linux, because there's no way to set up a proxy in my kindle.

Best Answer

I have a similar set up. wlan0 is connected to the internet (through my router) while wlan1 acts as a hotspot (Access Point) for my Android phone. wlan1 is set up with ipv4 address 10.0.0.1/24 that is my phone gets ip address in the 10.0.0.x range.

The iptables rule I use to pass all traffic from my phone through redsocks is:

sudo iptables -t nat -A PREROUTING -s 10.0.0.0/24 -p tcp -j REDIRECT --to-ports 12345

As far as I understand it this rule basically takes all tcp traffic from any source device with address 10.0.0.0/24 and redirects it to the 12345 port which passes it through redsocks.

Related Solutions

Linux – iptables: Allow only HTTP access for web browsing

Because the rule

iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

with a DROP policy on the OUTPUT chain requires two things which are highly relevant here:

The connection must already have been established
The source port must be 80/tcp

Source ports below 1024 are privileged, and generally aren't used for outgoing connections even when the socket owning process is running as root. You are more likely to see a high source port number going out, well above 30000 seems to be common.

There is also no way to establish a connection, since the only outgoing traffic that is allowed must be related to an already established connection.

Hence, in practice, nothing can match this rule.

Try instead:

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT

which should allow any outbound connections to destination TCP port 80 where the traffic is routed through eth0, which is much more in line with what you want.

And then as has been pointed out, don't forget about HTTPS, DNS, ...

Windows – How to set up HTTP/SOCKS5 tunneling proxy on Windows using freeSSHd

Assuming you mean to access an external SOCKS proxy from windows, here you go. If you meant setting up a SSH server in windows, cygwin can do this with sshd.

In windows, cygwin makes this easy, but if you don't have cygwin already, here are PuTTY instructions.

Set it up like this:
replace port 2222 with 22 or whatever your port for SSH is. Leaving it blank should work too. 22 is the default, but I had it on a non-standard port. Replace 127.0.0.1 here with your actual address.

Setting up puTTY - 1

Here, LEAVE the 127.0.0.1 where it is. It is SUPPOSED to be there. You can change 8080 to whatever port you want the SOCKS proxy on.
Setting up puTTY - 2

Be sure to set the login username to whatever yours is. Mine is 'mobile' on my iphone, which I was using when i made this example for the apple stack exchange. Setting up puTTY - 3

If you want, you can then save a profile for this, to avoid setting it all back up each time you have a problem. This is done in the 'session' section at the very top.

Linux/Unix/BSD/Solaris/OSX/HP-UX/whatever I'm still missing

You can run ssh -D 8080 user@address

Now, you need to open your web browser of choice; I use firefox, so I will use it as an example. I have used chrome and opera, but as I do not like them and do not currently have them installed, I cannot presently use it for an example. But you set it up as a SOCKS proxy, regardless of browser.

These screenshots were done with a forwarded X11, so the fonts are ugly, but pay it no mind.
First, go to the preferences window (tools -> options or edit -> preferences, depending on OS). Then, go to Advanced -> Network -> Settings.... Firefox Configuration 1

Use the following configuration for the browser.
Firefox Configuration 2

Problems and Solutions

Problem:

My app doesn't allow setting a SOCKS proxy.

Solution:

I have had this problem with games like Minecraft. Here's some fixes.
For minecraft, I added a argument to ssh. I regularly play on the nerd.nu reddit minecraft servers (reddit.com/r/mcpublic). Since minecraft 1.6, SSH tunneling and SOCKS proxies set as command line arguments haven't worked. You used to be able to add java parameters -DSocksProxyHost=127.0.0.1 -DSocksProxyPort=8080 and it would work. Now, however, the solution isn't quite as nice, but it does work.

When you start ssh, instead of ssh -D 8080 user@address, do
ssh -D 8080 -L 127.0.0.1:25565:p.nerd.nu:25565 user@address.
Then, when you want to connect to the server, instead add the URL 127.0.0.1:25565 to your list of servers! The remote server will appear on 127.0.0.1/localhost thanks to the miracle of SSH tunneling!

For other programs/games, the same rule applies. If you can't set a SOCKS proxy and nothing else works, just add -L 127.0.0.1:<port>:<remote URL to access>:<remote port>.

There is nothing forcing you to use the same port on 127.0.0.1 that you would normally, so I could have, for example, mapped p.nerd.nu:25565 to 127.0.0.1:1025 and the game wouldn't care as long as I specified the port. Not all programs are so lenient, but it's useful to remember.