[Privoxy-users] Privoxy on router firmwares poses a huge security risk
Richard Lucassen
spamtrap at xaq.nl
Sat Jan 4 00:16:01 UTC 2020
On Wed, 1 Jan 2020 17:59:55 -0500
Lee <ler762 at gmail.com> wrote:
> > Disclaimer: not tested, just my 2 cts.
>
> & my own disclaimer - I've never used iptables
>
> If you can have rules for after the routing decision has been made and
> you can tell if the traffic came from privoxy, it seems like you could
> do something simpler like
>
> -- allow traffic from privoxy back 'inside'
> if destination interface == eth0 (connection to the internal network)
> AND -m owner --uid-owner privoxy then allow
>
> -- policy based routing: privoxy -> internet traffic is redirected
> out the vpn interface
> output interface == wan0 (connection to the isp) AND -m owner
> --uid-owner privoxy then redirect to tun1 (vpn connection)
Wouldn't it be simpler to bind privoxy to its own ip address, e.g.
192.168.1.2, and use pbr?
ip rule add from 192.168.1.2 lookup 10
ip route add 192.168.2.0/24 dev eth1 table 10 # internal network
ip route add 192.168.1.0/24 dev eth0 table 10 # external network
ip route add default via 192.168.1.254 dev eth0
Disclaimer: not tested ;-)
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
+------------------------------------------------------------------+
More information about the Privoxy-users
mailing list