[Privoxy-users] Privoxy on router firmwares poses a huge security risk
Lee
ler762 at gmail.com
Wed Jan 1 22:59:55 UTC 2020
On 1/1/20, richard lucassen wrote:
> On Tue, 31 Dec 2019 16:45:47 -0500
> Lee wrote:
>
>> What the OP needs to do is figure out how to do pbr on traffic coming
>> from privoxy so that traffic not for the internal network goes out via
>> the vpn. But I don't know if it's possible to have a pbr rule that
>> applies only to packets coming from one specific service on the router
>> :(
>
> I don't know if this resolves OP's problem, but using "iptables" you can
> force privoxy to use a different outgoing ip, assuming that privoxy runs
> as user "privoxy". E.g. a router has ip 192.168.1.1 on outgoing
> interface eth0, just add an extra ip:
>
> ip address add 192.168.1.2/32 dev eth0
>
> then:
>
> iptables -t nat -A POSTROUTING -o eth0 -m owner --uid-owner privoxy \
> -j SNAT --to-source 192.168.1.2
>
> after that, force traffic from 192.168.1.2 to use e.g. table 10:
>
> ip rule add from 192.168.1.2 lookup 10
>
> Disclaimer: not tested, just my 2 cts.
& my own disclaimer - I've never used iptables
If you can have rules for after the routing decision has been made and
you can tell if the traffic came from privoxy, it seems like you could
do something simpler like
-- allow traffic from privoxy back 'inside'
if destination interface == eth0 (connection to the internal network)
AND -m owner --uid-owner privoxy then allow
-- policy based routing: privoxy -> internet traffic is redirected
out the vpn interface
output interface == wan0 (connection to the isp) AND -m owner
--uid-owner privoxy then redirect to tun1 (vpn connection)
Lee
More information about the Privoxy-users
mailing list