ZNHOO Whatever you are, be a good one!


  1. Real proxy

    ss (Shadowsocks), Tor, VPN, GAE, SSH tunnel etc.

    Real proxy listens on a specific [IP[:port]] for incoming request.

  2. Torify/Proxychains - direct traffic from shell

    Torify (based on torsocks) forces tcp traffic through Tor for applications without built-in proxy support (including those not supporting SOCKS proxy).

    Unfortunately, torify/torsocks is only for Tor. Proxychains is more powerful supporingt any SOCKS4a/5 or HTTP proxies. It works in dynamic, exact, or random modes. Also, it's fairly easy to define a chain of proxies - multiple proxies.

    We can create a simple .desktop file with prefix torify/usewithtor/torsocks/proxychains.

    For command line tool without GUI (i.e. wget), we just launch a sub-shell by torify bash and proxychains bash, under which all traffic goes through proxy - to proxify a shell.

    A step further, add that command to .bash_profile (login shell) or .bashrc (interactive shell). Or torify/proxychains xfce4-terminal. Each new shell is proxified.

    Attention, proxychains cannot not capture child process traffic. What was worse, detached GUI traffic cannot be caught either.

  3. Assistant proxy - direct traffic from application

    Privoxy, Foxyproxy, Autoproxy etc.

    Assistant proxy only forwards application's traffic reqeust to real proxy. Defines which traffic uses proxy and which traffic does not. For example, Foxyproxy can add a PAC list forwarding traffic to real proxy.

    Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks:

    1. Do NOT provide proxy functionality itself but forward HTTP traffic to other proxies, i.e. Tor, Shadowsocks, GAE etc.
    2. Applications should support HTTP proxy, i.e. browser, instant messager etc.
  4. Iptables - direct traffic through kernel.
  5. SS alone as a SOCKS proxy. Add SS to Tor as a front end proxy if no Bridges are available.

    Both are SOCKS proxy. Only applications (i.e. Firefox) that support SOCKS proxy can make use of them.

  6. Foxyproxy and Autoproxy are browser extensions while Privoxy is stand alone application. Therefore Privoxy can serve all applications (besides browser) that support HTTP proxy.

    Details on how to use Privoxy, refer to the 1st reference. For example, by Privoxy, we can direct youtube.com traffic to GAE, while sex.com traffic to Tor. Another vantange of privoxy is you can filter traffic based on domain name.

  7. Currently on my system, no extra applications (except browser) that support HTTP proxy needs proxy help. Firefox Foxyproxy has whitelist and blacklist applied to proxy. Turn on Use proxies based on their pre-defined patterns and priorities.

    Of course, if Privoxy is used, just add a new HTTP proxy entry (Privoxy default to Foxyproxy.

  8. Iptables

    Each Iptables rule is strict (specific TCP/IP values) but has wide match (many applications). An exetreme example, is forceing all system traffic to Tor/SS.

    One utility is Transparent proxy. At TCP/IP level, REDIRECT all system traffic to Tor, thus avoiding other supporting tools (Torify, Assistant proxy etc.). Additionally, we can place some traffic rule ahead of the Transparent proxy rule to not use Tor - achieving whitelist.

    Details refer to newest Iptables rule.

  9. One special case:

    In Foxyproxy, select to use Shadowsocks for all URLs. In Iptables, enable Transparent proxy! The actual traffic path:

    1. Foxyproxy modify HTTP packet to enclosed in Shadowsocks SOCKS packet;
    2. Iptables Transparent proxy. To establish Tor circuit;
    3. Shadowsocks front end proxy - Tor entry node - Tor middle nodes - Tor exit node;
    4. Shadowsocks SOCKS packet - target URL.

    So Shadowsocks is access twice in the traffic path. And target website actually sees Shadowsocks accessing its service. To avoid this, add a Iptables rule:

    -A OUTPUT -d ss-ip -p tcp -m tcp --dport ss-port -j RETURN

  10. If network connection fails, check:

    Real proxy, Torify/Torsocks, Assistant proxy, Iptables etc.

  11. Refs:
    1. 如何用 Privoxy