A Virtual Private Server can work well to set up your own anonymous Internet browsing proxy, a VPS can cost as little as $8 a month, which is roughly the same a private proxy or VPN provider would charge you, but with you being in full control over the logs and resources on the server which can be used for other things besides hiding your IP when browsing the Internet, like for example IRC chat through the shell with irssi or hosting a website with lighttpd.
You could also open this proxy for friends and even set up your own anonymous proxy business open to the public. You do not need a great knowledge of Unix to do this, I will write down an step by step tutorial, this was done on a Debian server.
Proxy server diagram
1) You will need to install a proxy sever on your machine, this example uses micro proxy, a small Unix based HTTP/HTTPS proxy that runs from inetd.
privacydusk# apt-get install micro-proxyReading package lists… Done
Building dependency tree
Reading state information… Done
Suggested packages:
micro-httpd micro-inetd
The following NEW packages will be installed:
micro-proxy
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 9838B of archives.
After this operation, 65.5kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org lenny/main micro-proxy 20021030+debian-5 [9838B]
Fetched 9838B in 0s (24.8kB/s)
Selecting previously deselected package micro-proxy.
(Reading database … 16543 files and directories currently installed.)
Unpacking micro-proxy (from …/micro-proxy_20021030+debian-5_amd64.deb) …
Processing triggers for man-db …
Setting up micro-proxy (20021030+debian-5) …
Building dependency tree
Reading state information… Done
Suggested packages:
micro-httpd micro-inetd
The following NEW packages will be installed:
micro-proxy
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 9838B of archives.
After this operation, 65.5kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org lenny/main micro-proxy 20021030+debian-5 [9838B]
Fetched 9838B in 0s (24.8kB/s)
Selecting previously deselected package micro-proxy.
(Reading database … 16543 files and directories currently installed.)
Unpacking micro-proxy (from …/micro-proxy_20021030+debian-5_amd64.deb) …
Processing triggers for man-db …
Setting up micro-proxy (20021030+debian-5) …
2) Install xinetd on your sever:
privacydusk# apt-get install xinetdReading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
xinetd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 147kB of archives.
After this operation, 336kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org lenny/main xinetd 1:2.3.14-7 [147kB]
Fetched 147kB in 1s (140kB/s)
Selecting previously deselected package xinetd.
(Reading database … 16548 files and directories currently installed.)
Unpacking xinetd (from …/xinetd_1%3a2.3.14-7_amd64.deb) …
Processing triggers for man-db …
Setting up xinetd (1:2.3.14-7) …
Stopping internet superserver: xinetd.
Starting internet superserver: xinetd.
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
xinetd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 147kB of archives.
After this operation, 336kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org lenny/main xinetd 1:2.3.14-7 [147kB]
Fetched 147kB in 1s (140kB/s)
Selecting previously deselected package xinetd.
(Reading database … 16548 files and directories currently installed.)
Unpacking xinetd (from …/xinetd_1%3a2.3.14-7_amd64.deb) …
Processing triggers for man-db …
Setting up xinetd (1:2.3.14-7) …
Stopping internet superserver: xinetd.
Starting internet superserver: xinetd.
Set micro proxy to run via xinetd (or inetd if you use that instead). Here goes myxinetd.conf file configured to use microproxy:
service microproxy
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}service microproxyssl
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}service microproxyssl
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}
3) Force xinetd to start the service for you by adding the following snippet of code in youretc/services file:
microproxy 2280/tcp
microproxyssl 2243/tcp
microproxyssl 2243/tcp
Notice that I am using port 2280 for HTTP and port 2243 for HTTPS, you can use any ports you like but make sure they are open in your server. You will also need to comment out any existing entries in /etc/services that try to define the same service ports.
After you have modified etc/services you will need to restart xinetd for the changes to take effect:
/etc/init.d/xinetd restart
4) Make sure the ports you want to use are open on the server, there are various methods to achieve this:
a) Install lsoft and then:
lsof -i -nN -P | grep 2280xinetd 29568 root 5u IPv4 1152793 TCP 127.0.0.1:2280 (LISTEN)
As you can see the line returns listen, this means that port 2280 is open. Change the port in the grep statement for the port you want to check.
b) You can use netstat to check for open ports:
netstat -vatn
privacydusk:/etc# netstat -vatn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 64.62.173.51:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:982 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 64.62.173.51:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:982 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
c) Another method to check for open ports on the server is to scan yourself with nmap:
privacydusk# nmap localhost
Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-30 05:21 UTC
Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-30 05:21 UTC
5) Once you have installed micro proxy, configured xinetd and edited etc/services you should be done on the server side, now it is time to configure your internet browser.
If you are using Opera 9.*, go to Tools>Preferences>Advanced>Network>Proxy Servers now enter 127.0.0.1 port 5000 in the HTTP box and 127.0.0.1 port 5043 in the HTTPS box.
If you are using Firefox 3.* you will need to go to Tools>Options>Advanced>Settings and do exactly the same.
You only have left setting up the tunnel from the shell. Before start surfing with your browser, type:
ssh -L 5000:127.0.0.1:2280 -L 5043:127.0.0.1:2243 username@machine.net
machine.net=your hostname, you will need to change the port numbers if you are using different ones.
To surf through the SSH tunnel on a Windows machine without shell you can use KiTTY
Firewall:If you have IPtables installed, you will need to instruct your firewall to allow traffic through those ports, the following code will open port 2280 in IPTables:
iptables -A INPUT -p tcp -i eth0 –dport 2280 -j ACCEPT
To find out the list of open ports in the firewall use iptables -L:
privacydusk# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpt:2280
ACCEPT tcp – anywhere anywhere tcp dpt:2243
Newsgroup dealing with port forwarding: comp.security.ssh
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpt:2280
ACCEPT tcp – anywhere anywhere tcp dpt:2243
Newsgroup dealing with port forwarding: comp.security.ssh
