[Privoxy-users] Privoxy on router firmwares poses a huge security risk
Lee
ler762 at gmail.com
Sun Jan 5 20:55:24 UTC 2020
On 1/3/20, richard lucassen wrote:
> On Wed, 1 Jan 2020 17:59:55 -0500
> Lee wrote:
>
>> > Disclaimer: not tested, just my 2 cts.
>>
>> & my own disclaimer - I've never used iptables
>>
>> If you can have rules for after the routing decision has been made and
>> you can tell if the traffic came from privoxy, it seems like you could
>> do something simpler like
>>
>> -- allow traffic from privoxy back 'inside'
uhmm.. on second thought, it's already going to go 'inside' so there's
no need to add a rule to allow what's going to happen anyway
>> -- policy based routing: privoxy -> internet traffic is redirected
>> out the vpn interface
>> output interface == wan0 (connection to the isp) AND -m owner
>> --uid-owner privoxy then redirect to tun1 (vpn connection)
>
> Wouldn't it be simpler to bind privoxy to its own ip address, e.g.
> 192.168.1.2, and use pbr?
>
> ip rule add from 192.168.1.2 lookup 10
>
> ip route add 192.168.2.0/24 dev eth1 table 10 # internal network
> ip route add 192.168.1.0/24 dev eth0 table 10 # external network
> ip route add default via 192.168.1.254 dev eth0
I think "simpler" would be adding just one more iptable rule :)
Everything seems to be working for the OP except that privoxy ->
internet traffic _doesn't_ go out via the vpn.
My understanding is that with a vpn configured on the router, traffic
going through the router (ie traffic coming from the internal network
going out to the internet) is sent via the vpn interface but traffic
sourced by the router, destined for the internet, is sent via the wan
interface (isp connection).
So if you install privoxy and a vpn on the router, any
privoxy->internet traffic is sent via the wan interface & the OP wants
privoxy->internet traffic to be sent via the vpn.
If iptables can tell which internal process a packet came from, it
seems like the easiest solution is to
- wait until the routing decision has been made (ie. is the packet
going to be sent to the internal network or the internet?)
- redirect traffic coming from privoxy, destined for the internet, out
the vpn interface.
and no need to configure/troubleshoot multiple addresses and multiple
routing tables on the router :)
OTOH, if redirecting traffic from privoxy to the vpn doesn't work then
maybe the next best solution would be to put privoxy on a separate ip
address and configure a routing table just for privoxy.
Regards,
Lee
More information about the Privoxy-users
mailing list