17
Jun

Best Proxy Practices (BPP!) and an update

I just want to make a quick post about best practices when running a proxy to help those on the ground in Iran get access to social networks, the outside world, and their families. It is ABSOLUTELY IMPERATIVE that this be a secure effort that is thought out and executed in the safest possible manner.

As a general rule, and I know I didn’t point this out in the original guides, all proxies should be setup with the following options in the Squid config file:

* Blocking of IRI government ipblocks [1]
* Allowing of Iran ipblocks [2]
* 10 random chosen inbound ports
* CONNECT support
* No X-Forwarded-For headers
* No client stats
* Logging to /dev/null
* Turn SSL off — it’s blocked from Iran anyway

If you’re running a proxy already, please change these settings. If you’re running a proxy on a default port (81/8080/8181/9090/3218) then change the port and shoot me off an e-mail at update@austinheap.com.

I will post a sample configuration file, as I know there have been a lot of concerns.

Also, I want to say sorry for not being able to respond to all the tweets and e-mails yet, although I’m going as fast as possible given all the other pressing demands! I’ve got thousands of emails to sort out, and the outpour of support and people helping out has been amazing. Together we’re capable of doing amazing things so thank you to everyone who is helping make a difference.

Thank you. Thank you. Thank you.

#allmylove2iran

[1] Based on ripe data found on RIPE

[2] Based on Country IP data found on CountryIPBlocks

Related posts:

  1. How to setup a proxy for Iran citizens
  2. How to setup a proxy for Iran citizens (Virtual Machine Disk Format!)
  3. How to setup a proxy for Iran citizens (for Windows!)
  4. State of the Iran Proxies
  5. Working Iran Proxy List
Tags Posted under Internets, Iran, Politics by Austin

65 Responses


  • If there are going to be attacks on proxies from the IRI government sites, the correct line of defense is with firewall rules and not with a Squid ACL. So thanks to those who’ve posted instructions on adding those blocks to iptables.

    I think it would be helpful if someone could post instructions for those using off the shelf “hardware” firewalls such as linksys or D-Link boxes. I don’t have access to these to play with, so I can’t provide instructions beyond saying connect to your router with your web browser. You already needed to connect to it to allow port forwarding for your proxy (otherwise no one from the outside can connect), so I won’t provide those instructions. And just look for the tab or page for firewall rules. You might have to enter each by hand, and let’s hope that they accept CIDR format.

    If others have played with these firewall/router thingies and can be more specific about what does and doesn’t work (and where to look for things) please enlighten us.

    by: Jeffrey Goldberg, Jun 22nd at 6:14 pm

  • Hey, This guide seems like it was written for the computer literate. I have about 200 coworkers (I’m not kidding) who all would like to setup a proxy, as well as myself, but we seem to not be able to make any sense of the guide. If anybody else could PLEASE email me directions that explain it for idiots like myself, send it to t.ilton.s.tudent[at]gmail.com (all those periods are actually there)

    by: Curtis, Jun 22nd at 10:28 pm

  • Austin:

    Thank you for posting an excellent response to the current internet access plight of the Iranian people. Your blog has resulted in nearly 500 new visitors to Country IP Blocks in the past few days. As a result we are making our network access lists for the Islamic Republic of Iran more prominent.

    We are also in the process of mapping the network backbone access points in Iran to see if there may be routes in and out of Iran that are not currently being filtered.

    Please keep in mind that Iranian network data is subject to change, therefore it is a good idea to check our website for the latest updates.

    Thanks again for mentioning us in your post.

    by: Stewart, Jun 23rd at 1:43 pm

  • Curtis, others: if you are not computer literate, try installing TOR, and run it as a relay. This helps Iranians getting anonymous and safe internet access.
    Installation is very easy, and most of the time all you have to do is click a few times.

    There’s a short guide, including pictures, at:
    http://iansbrain.com/2009/06/15/tor-and-the-iranian-election/

    Good luck!

    Mohsen

    by: MR, Jun 24th at 8:12 am

  • If the http://www.catb.org/esr/nedanet/squid.conf conf file was used then I assume all of the above options in the conf are fixed?

    by: efx, Jun 24th at 5:49 pm

  • An easier way to setup a proxy on a Windows computer:
    http://www.surfazad.com/howto_setup_proxy.php

    Please make sure you have at least a cable connection and leave your computer on at all times so your proxy is not down.

    by: Never mind, Jun 25th at 3:56 am

  • Good idea Curtis. Better still: place it here so all we “idiots” can benefit from it.

    by: HS, Jun 27th at 1:34 am

  • Thank you Fidel, it’s usefull.

    by: Proxy45, Jun 27th at 2:28 am

  • Nice blogpost, good looking website, added it to my favs.

    by: amuddigundell, Nov 24th at 8:02 pm

· 1 · 2

Share your comment

Name Your Message
Email Website * We know you have something to say