Before you begin

Running a proxy server can get you in trouble. Only do this if you know how to properly secure servers like this. Getting yourself on blacklists and/or being billed for huge traffic amounts is your own responsibility, know what you're doing. Also, this guide is built around ubuntu, if you're using another distro, ymmv. The latest version of this document can always be found on http://r3blog.nl/iran.proxy.howto.html.

I've also packaged this for easy retrieving. Download the complete set here md5sum sha256sum

Mirroring this document

Please distribute this document as widely as possible. You can use a procedure as described below. First, retrieve the package: 
cd /your/local/path
for FILE in iran.proxy.howto.tgz iran.proxy.howto.tgz.md5sum iran.proxy.howto.tgz.sha256sum; do
	wget http://r3blog.nl/${FILE}
done
Then, check all checksums: 
md5sum -c iran.proxy.howto.tgz.md5sum
sha256sum -c iran.proxy.howto.tgz.sha256sum
If both signatures are OK, you can proceed with extracting the package: 
tar xvzf iran.proxy.howto.tgz

Feedback

If you've found any errors in these documents, want to make a remark about them or just plainly rant about them, drop me an email at r3boot - AT - r3blog - DOT - nl

General configuration guidelines

The proxy will be configured with the features mentioned below.

Setting up the environment

First of all, you'll need to install squid3 and iptables. All configs and scripts are based around a set of config files, which are placed in /etc/iran. Create /etc/iran/iran_inbound_ports.txt, containing a list of ports on which the proxy will listen on. Also create /etc/iran/iran_outbound_ports.txt, which contains a list of allowed outbound ports from the proxy. A sample list of ports can be found below. Be sure to only add the port, don't add the comment, they are just added for clarity. 
22	# ssh
25	# smtp
80	# http
110	# pop3
143	# imap
443	# https
465	# smtp
587	# smtp
993 	# imaps
995 	# pop3s
1863	# msn
5190	# icq
5191	# icq
5192	# icq
5193	# icq
5222	# jabber
5269	# jabber
6667	# irc
6697	# irc
8080	# http

You'll also need black and whitelists, which can be downloaded below:
local filename Download url MD5 sum
SHA256 sum
iran_allowed.txt iran_allowed.txt 84e6c2cc0ed3ad3ab9c4f746cf38a4df
bc0be13500c6bc1b6f0a74f8a3c1e53a126c87f224cea9f53b1471dd45b6de0f
iran_dropped.txt iran_dropped.txt f8fc760653907d8c3805dda9a8a83e28
89efdbfcb0598a42a55d0af8c3379d4fbfa5570e5c02536fb3a656cb429906d2

Setting up squid3

Download the following config file into /etc/squid3. Edit it, and make sure that you add http_port statements for all ports mentioned in /etc/iran/iran_inbound_ports.txt.
squid.conf squid.conf 74b90ea3633544117f4d80b425929e06
638fde31bea20cd7af8c6f431bc324a60789465b2348b04abe033148b4c93c3e

Setting up iptables

Download the following script into /etc/init.d and modify it so that it has your correct external interface. Once you've got it in place, activate the script to startup during boottime using update-rc.d iran.iptables.sh defaults.
iran.iptables.sh iran.iptables.sh 3e0fecd05f345e35fe369d29961fccbb
1ce5866c99278d711948edf48088424f34a4c6e429d25961931557fcdee8310f

Testing your proxy

Before you communicate your proxy details you need to check it first. Go over to http://proxyheap.austinheap.com/checker.php and, for every port you've specified as http_port in squid.conf, run a test.

Letting people know

It's important that you don't announce the proxy details in public. Go over to http://proxyheap.austinheap.com/phase1.php and add your proxies to the list.

Operating the proxy

Starting everything up

/etc/init.d/iran.iptables.sh start
/etc/init.d/squid3 start

Shutting everything down

/etc/init.d/squid3 stop
/etc/init.d/iran.iptables.sh start

Monitoring the proxy

Since this proxy doesn't log any access you'll need a bit different debugging methods. Some of these are described below:

netstat -an | egrep "the|listening|ports|youve|configured"

tcpdump -ni eth0 port 1234 or port 5678 or port 9101



Last updated on Wed Jun 24 10:06:46 CEST 2009 by r3boot