On 2017-11-30 22:36, pr0xy wrote:
> On 2017-11-30 02:20, Unman wrote:
>> On Wed, Nov 29, 2017 at 03:12:46PM -0800, pr0xy wrote:
>>> On 2017-11-27 09:33, awokd wrote:
>>> > On Mon, November 27, 2017 05:40, pr0xy wrote:
>>> >> On 2017-11-20 18:08, awokd wrote:
>>> >>> On Mon, November 20, 2017 10:01, pr0xy wrote:
>>> >>>> Please help a somewhat noob who wants to use Qubes in the office.
>>> >>>>
>>> >>>> I got the OK to try using Qubes R3.2 in my company network as a
>>> >>>> workstation. They have a very restrictive proxy that forces all traffic
>>> >>>> through an HTTP/HTTPS proxy like:
>>> >>>>
>>> >>>> proxy.example.com:8080
>>> >>>>
>>> >>>> How could I force all Qubes traffic to go through that proxy and that
>>> >>>> port?
>>> >>>>
>>> >>>> Would that be in sys-net, or a Firewall VM?
>>> >>>
>>> >>> Check https://www.qubes-os.org/doc/vpn/ . Ignore the parts about VPN
>>> >>> setup
>>> >>> but you should be able to set up your proxy redirect in the Proxy VM.
>>> >>> I'm
>>> >>> assuming local traffic like DNS lookups would not go through the proxy.
>>> >>
>>> >> Thanks. I have been reading up on the ProxyVM, which seems to be the way
>>> >> I would do this, but I'm a bit confused as to where I would add these
>>> >> proxy settings. I'm not familiar with manipulating IP tables, or writing
>>> >> the sort of scripts on that page, but is that what I would need to set?
>>> >>
>>> >> I wanted to stay away from setting the environment variables for
>>> >> http_proxy, https_proxy, ftp_proxy and no_proxy in each VM.  Ideally I
>>> >> think I'd like to use a ProxyVM to proxify an entire AppVM, but the
>>> >> documentation doesn't make it clear how I would attempt this.
>>> >
>>> > You're right, you'd need to manipulate IP tables. There is no built in way
>>> > to do it with just the Qubes UI.
>>> >
>>> > See
>>> > https://stackoverflow.com/questions/10595575/iptables-configuration-for-transparent-proxy
>>> > for an example if you wanted to use the transparent proxy approach.
>>> > Sys-whonix is essentially a transparent proxy that forwards all traffic
>>> > through Tor.
>>> >
>>> > Another option could be
>>> > https://www.qubes-os.org/doc/config/http-filtering-proxy/ . See also
>>> > https://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html
>>>
>>> I know how to manipulate a torrc file to work through my proxy. That
>>> works very well as I can just set HTTPProxy host[:port] and it goes.
>>>
>>> In a ProxyVM I'm a bit lost. Would I be setting Firewall rules in the
>>> VM, or adding a network connection and manipulating that? I'm not clear
>>> where I would be manipulating the IP Tables.
>>
>> You say you want ALL traffic to go through the proxy, but I'm guessing
>> that there is a local DNS server on the network.
>> The first thing is to be clear about what services are to pass through
>> the proxy.
>> Then the simplest way to get what you want is to manipulate the rules on
>> sys-net.
>> If you look at the rules there you will see that traffic from
>> sys-firewall and below is subject to MASQUERADE in the nat table, and
>> everything originating from vif interfaces outbound is allowed in the
>> FORWARD chain.
>> So if you want to direct http traffic through the proxy just insert a
>> rule in the PREROUTING chain like this:
>> iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 80 -j DNAT --to
>> proxy.example.com:8080
>>
>> You can set this in /rw/config/rc.local - remember to chmod that file.
>> Look at https://www.qubes-os.org/doc/firewall/
>>
>> I hope this points you in the right direction.
>> Obviously this wont affect traffic originating from sys-net but then I
>> recommend having a restrictive OUTPUT on sys-net and sys-firewall.
>>
>> unman
> 
> Sorry, that statement about 'all' traffic was misleading. You're correct
> that DNS is handled separately. I have that set on the network
> connection of my sys-net. DNS appears to be properly passed to the
> iptables of sys-net.
> 
> Thanks for that IPtable example. I don't think I would have figured that
> out on my own. Specifically I need to pass HTTP, HTTPS and FTP through
> the corporate proxies. I modified your example to this:
> 
> iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 80:443 -j DNAT --to
> proxy.example.com:8080
> iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 21 -j DNAT --to
> proxy.example.com:10021
> 
> I placed that in the /rw/config/rc.local of sys-net and made it
> executable. Rebooting the machine shows that it's persistent, and they
> show up in the PREROUTING section when I check 
> iptables --table nat --list
> 
> Problem is that AppVMs connected to the sys-firewall > sys-net don't
> seem to take advantage of those settings. For example, I can't use
> Firefox to connect to internet sites without manually setting the proxy
> in the browser. Likewise, TemplateVMs with the same routing can't
> update.
> 
> Should I instead be making these iptables settings in a ProxyVM, and
> connect like: AppVM/StandaloneVM/TemplateVM > ProxyVM > sys-firewall >
> sys-net?

I've been testing with a ProxyVM without networkmanager. I set the
IPtables in the same fashion, but am unable to get AppVMs or templates
to connect to the internet.

I also found that updating the sys-net VM template from Fedora 23 to
Fedora 26 gives me a new option in the NetworkManager applet. There's an
option for Proxy in there now. It will accept PAC scripts (JavaScript).
I tried various scripts in there, like:

function FindProxyForURL(url, host)
 {
 if (url.substring(0, 5) == "http:") {
 return "PROXY proxy.example.com:8080";
 }
 else if (url.substring(0, 4) == "ftp:") {
 return "PROXY proxy.example.com:10021";
 }
 else if (url.substring(0, 6) == "https:") {
 return "PROXY proxy.example.com:8080";
 }
 else {
 return "DIRECT";
      }
 }

That doesn't seem to have an affect on anything either.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ca49fa00258ce51b76ef99cfe8286185%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Reply via email to