-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, Dec 01, 2017 at 02:46:55AM -0800, pr0xy wrote: > On 2017-12-01 10:30, awokd wrote: > > On Thu, November 30, 2017 22:36, pr0xy wrote: > > > >> Specifically I need to pass HTTP, HTTPS and FTP through > >> the corporate proxies. I modified your example to this: > >> > >> iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 80:443 -j DNAT --to > >> proxy.example.com:8080 > >> iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 21 -j DNAT --to > >> proxy.example.com:10021 > >> > >> I placed that in the /rw/config/rc.local of sys-net and made it > >> executable. Rebooting the machine shows that it's persistent, and they > >> show up in the PREROUTING section when I check > >> iptables --table nat --list > >> > >> Problem is that AppVMs connected to the sys-firewall > sys-net don't > >> seem to take advantage of those settings. For example, I can't use > >> Firefox to connect to internet sites without manually setting the proxy > >> in the browser. Likewise, TemplateVMs with the same routing can't > >> update. > > > > Might depend on how that corporate proxy is configured. For example, if it > > requires authentication. How friendly/linux savvy are the people who admin > > it? > > I'm the first person to run anything non-Windows in this network, so > this is new territory. It's a Squid 3.3.8 proxy for HTTP and HTTPS. The > FTP proxy is something else. There are no usernames or passwords > required for the proxy. > > They gave me all the settings and told me to work it out if I want to > use Qubes, so that's what I'm trying to do... > > >> Should I instead be making these iptables settings in a ProxyVM, and > >> connect like: AppVM/StandaloneVM/TemplateVM > ProxyVM > sys-firewall > > >> sys-net? > > > > This would be my approach for flexibility but either should work. > > All the documentation I'm seeing makes me think it should work as well. > > I'm not looking into the option of setting environment variables on each > template to see if that might work. So far the only other option that > has worked is to manually set the proxy in each piece of software, in > each AppVM.
Above iptables example will not work in most cases - HTTP direct connection and HTTP proxy connection have some differences. Client application must be aware that http proxy is being used. There are two options: 1. Setup ProxyVM with some application that will intercept all the connections and wrap them into HTTP proxy connection. Tor can do that, but as a side effect you'll get all your traffic through tor. You can also setup some HTTP proxy in transparent mode (at least squid supports that). 2. Configure each application, in each VM to use HTTP proxy. This may sound laborious, but in fact it is not: you can set http_proxy and https_proxy variables in your template(s) and all VMs based on it automatically will pick it up. Just create /etc/profile.d/proxy.sh and export appropriate variables from there. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJaHt2yAAoJENuP0xzK19csogEH/3MLAWIm1C6vqpX/iugoxLl6 4tk0x4KXKWsNNfR50ir/8INgLWWXrCxk9QbZXy010nC3Dp0TNso3ei6ae+fc25as 2aj36TOyDA8ztV5F0libiZFxDCWcfzskvW7GiC57JlOustCq2CTTkaz3p5eHyjp8 ITnnOKpA/Ji7MTloxPNedw8hzpyMxJQudqryd7DDribbTHozG/xtBTRR/ZhPaIjI Z849e8uRj47xrPWyVyOtuP6KGy5Q79CYCk1qM3bCd9EKipYNwqUZGZsPkI3SAfhv xiM5YfP7Frc/62H64Z0KiieP9M5XIys64OWzK+trfSCCOzYafJDtJvti4q02s0o= =vfFi -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171203010752.GD1935%40mail-itl. For more options, visit https://groups.google.com/d/optout.
