On Wed, Nov 29, 2017 at 03:12:46PM -0800, pr0xy wrote: > On 2017-11-27 09:33, awokd wrote: > > On Mon, November 27, 2017 05:40, pr0xy wrote: > >> On 2017-11-20 18:08, awokd wrote: > >>> On Mon, November 20, 2017 10:01, pr0xy wrote: > >>>> Please help a somewhat noob who wants to use Qubes in the office. > >>>> > >>>> I got the OK to try using Qubes R3.2 in my company network as a > >>>> workstation. They have a very restrictive proxy that forces all traffic > >>>> through an HTTP/HTTPS proxy like: > >>>> > >>>> proxy.example.com:8080 > >>>> > >>>> How could I force all Qubes traffic to go through that proxy and that > >>>> port? > >>>> > >>>> Would that be in sys-net, or a Firewall VM? > >>> > >>> Check https://www.qubes-os.org/doc/vpn/ . Ignore the parts about VPN > >>> setup > >>> but you should be able to set up your proxy redirect in the Proxy VM. > >>> I'm > >>> assuming local traffic like DNS lookups would not go through the proxy. > >> > >> Thanks. I have been reading up on the ProxyVM, which seems to be the way > >> I would do this, but I'm a bit confused as to where I would add these > >> proxy settings. I'm not familiar with manipulating IP tables, or writing > >> the sort of scripts on that page, but is that what I would need to set? > >> > >> I wanted to stay away from setting the environment variables for > >> http_proxy, https_proxy, ftp_proxy and no_proxy in each VM. Ideally I > >> think I'd like to use a ProxyVM to proxify an entire AppVM, but the > >> documentation doesn't make it clear how I would attempt this. > > > > You're right, you'd need to manipulate IP tables. There is no built in way > > to do it with just the Qubes UI. > > > > See > > https://stackoverflow.com/questions/10595575/iptables-configuration-for-transparent-proxy > > for an example if you wanted to use the transparent proxy approach. > > Sys-whonix is essentially a transparent proxy that forwards all traffic > > through Tor. > > > > Another option could be > > https://www.qubes-os.org/doc/config/http-filtering-proxy/ . See also > > https://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html > > I know how to manipulate a torrc file to work through my proxy. That > works very well as I can just set HTTPProxy host[:port] and it goes. > > In a ProxyVM I'm a bit lost. Would I be setting Firewall rules in the > VM, or adding a network connection and manipulating that? I'm not clear > where I would be manipulating the IP Tables.
You say you want ALL traffic to go through the proxy, but I'm guessing that there is a local DNS server on the network. The first thing is to be clear about what services are to pass through the proxy. Then the simplest way to get what you want is to manipulate the rules on sys-net. If you look at the rules there you will see that traffic from sys-firewall and below is subject to MASQUERADE in the nat table, and everything originating from vif interfaces outbound is allowed in the FORWARD chain. So if you want to direct http traffic through the proxy just insert a rule in the PREROUTING chain like this: iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 80 -j DNAT --to proxy.example.com:8080 You can set this in /rw/config/rc.local - remember to chmod that file. Look at https://www.qubes-os.org/doc/firewall/ I hope this points you in the right direction. Obviously this wont affect traffic originating from sys-net but then I recommend having a restrictive OUTPUT on sys-net and sys-firewall. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171130022054.uql7ofsors5jen6f%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
