Haystack needs your help to support a free Internet in Iran!
15
Jun

How to setup a proxy for Iran citizens (for Mac!)

Currently VPNs are one of the safest methods of evading censorship. HMA has hundreds of exit nodes/countries and many ways of accessing their servers.

Update: There is now a recommended squid config file available.

Mac instructions (CONFIRMED)

1) Grab this dmg compile of Squid for OS X, and run the package inside it.

2) Look in your Applications folder for a folder called Squid. Inside THAT folder, there is a folder called etc. Inside the etc folder, there is a file called squid.conf. Open it in your text editor of choice.

3) To restrict access to people with Iranian IP addresses find line 1885 (which is blank), just above # And finally deny all other access to this proxy. Copy/paste this code:

acl TRUSTED src 62.60.128.0/17 62.193.0.0/19 62.220.96.0/19 77.36.128.0/17 77.77.64.0/18 77.104.64.0/18 77.237.64.0/19 77.237.160.0/19 77.245.224.0/20 78.38.0.0/15 78.109.192.0/20 78.110.112.0/20 78.111.0.0/20 78.154.32.0/19 78.157.32.0/19 78.158.160.0/19 79.127.0.0/17 79.132.192.0/19 79.170.144.0/21 79.175.128.0/18 80.66.176.0/20 80.69.240.0/20 80.71.112.0/20 80.75.0.0/20 80.191.0.0/16 80.242.0.0/20 80.253.128.0/20 80.253.144.0/20 81.12.0.0/17 81.28.32.0/20 81.28.48.0/20 81.31.160.0/20 81.31.176.0/20 81.90.144.0/20 81.91.128.0/20 81.91.144.0/20 82.99.192.0/18 82.115.0.0/19 83.147.192.0/18 84.47.192.0/18 84.241.0.0/18 85.9.64.0/18 85.15.0.0/18 85.133.128.0/17 85.185.0.0/16 85.198.0.0/18 86.109.32.0/19 87.107.0.0/16 87.247.160.0/19 87.248.128.0/19 89.144.128.0/18 89.165.0.0/17 89.221.80.0/20 89.235.64.0/18 91.98.0.0/15 91.184.64.0/19 91.186.192.0/19 91.206.122.0/23 91.208.165.0/24 91.209.242.0/24 91.212.16.0/24 91.212.19.0/24 91.212.252.0/24 92.42.48.0/21 92.50.0.0/18 92.61.176.0/20 92.62.176.0/20 93.110.0.0/16 93.190.24.0/21 94.74.128.0/18 94.101.128.0/20 94.101.176.0/20 94.101.240.0/20 94.139.160.0/19 94.182.0.0/15 94.184.0.0/17 94.232.168.0/21 94.241.128.0/18 95.38.0.0/16 95.80.128.0/18 95.81.64.0/18 95.82.0.0/18 95.82.64.0/18 95.130.56.0/21 95.130.240.0/21 188.34.0.0/16 188.93.64.0/21 188.121.96.0/19 188.121.128.0/19 188.136.128.0/17 188.158.0.0/15 193.189.122.0/23 194.225.0.0/16 195.146.32.0/19 212.16.64.0/19 212.33.192.0/19 212.50.224.0/19 212.80.0.0/19 212.95.128.0/19 212.120.192.0/19 213.176.0.0/19 213.176.32.0/19 213.176.64.0/18 213.195.0.0/18 213.207.192.0/18 213.217.32.0/19 213.233.160.0/19 217.11.16.0/20 217.24.144.0/20 217.25.48.0/20 217.64.144.0/20 217.66.192.0/20 217.66.208.0/20 217.146.208.0/20 217.172.96.0/19 217.174.16.0/20 217.218.0.0/15

4) Go to the next line, which says http_access deny all and replace it with the following: http_access allow TRUSTED

5) On line 705, change the line # cache_access_log /Applications/Squid/var/logs/access.log to cache_access_log none. This is what makes users ‘anonymous’.

6) Open up your Terminal and type sudo /Applications/Squid/sbin/squid -z. Type in your password and hit return. It should give you some output. As long as it doesn’t say “error”, you are fine. If it gives you a “squid is already running” error, try sudo /Applications/Squid/sbin/squid -k reconfigure instead.

7) Go to whatismyip.com and get your IP Address. Note it down.

Tell @austinheap on Twitter or via email the IP address you got in step seven. I’ll see that it gets to the right people. Please do not publicize your IP!

Related posts:

  1. How to setup a proxy for Iran citizens
  2. How to setup a proxy for Iran citizens (for Windows!)
  3. How to setup a proxy for Iran citizens (Virtual Machine Disk Format!)
  4. Working Iran Proxy List
  5. State of the Iran Proxies
Posted under Internets, Iran, Politics by
  • Michael

    What’s up with “TRUSTEDTOO” — thats not in your other posts.

  • http://www.twitter.com/mazuhl Mazuhl

    Is there another step required to disable SSH?

  • http://www.austinheap.com/ Austin

    Sorry, I’ve twisted my Squid files into lots of permutations, it should be fixed now!

  • http://www.austinheap.com/ Austin

    I’d just move SSH to another port, /etc/ssh/sshd_config on RedHat/CentOS systems…

  • http://na rubbersou1991

    what’s a proxy and what is the terminal I am supposed to open? what am i supposed to be doing with this? i do want to help

  • Pingback: Twitter Comes Into Its Own « Mercury Rising 鳯女

  • Jacob

    I’ve painstakingly ran through all the above steps (because this proxy stuff is not my expertise), but before I send on my IP, I am wondering if my files, computer, etc. will be protected, or if I need to enable something to do that? Thanks!

  • Lara

    Got stuck on Step 6, “open up your terminal”. Can you explain what you mean by “opening up your terminal” in simple language?

  • kyrd

    hi there … very nice idea and i’d like to support it. but it seems that something isnt working with that IP list:

    2009/06/16 19:35:53| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ’192.168.0.0/8′
    2009/06/16 19:35:53| aclParseIpData: Bad host/IP: ’93.110.0.0/’
    2009/06/16 19:35:53| parseConfigFile: line 1887 unrecognized: ’16 93.190.24.0/21 94.74.128.0/18 94.101.128.0/20 94.101.176.0/20 94.101.240.0/20 94.139.160.0/19 94.182.0.0/15 94.184.0.0/17 94.232.168.0/21 94.241.128.0/18 95.38.0.0/16 95.80.128.0/18 95.81.64.0/18 95.82.0.0/18 95.82.64.0/18 95.130.56.0/21 95.130.240.0/21 188.34.0.0/16 188.93.64.0/21 188.121.96.0/19 188.121.128.0/19 188.136.128.0/17 188.158.0.0/15 193.189.122.0/23 194.225.0.0/16 195.146.32.0/19 212.16.64.0/19 212.33.192.0/19 212.50.224.0/19 212.80.0.0/19 212.95.128.0/19 212.120.192.0/19 213.176.0.0/19 213.176.32.0/19 213.176.64.0/18 213.195.0.0/18 213.207.192.0/18 213.217.32.0/19 213.233.160.0/19 217.11.16.0/20 217.24.144.0/20 217.25.48.0/20 217.64.144.0/20 217.66.192.0/20 217.66.208.0/20 217.146.208.0/20 217.172.96.0/19 217.174.16.0/20 217.218.0.0/15′
    2009/06/16 19:35:53| Creating Swap Directories

    i tried to delete 93.110.0.0/ entry but then it complains about the following entry. maybe the list is too long?

    best regards

  • Lara

    Got it, thanks.

  • kyrd

    I had a syntax problem before – but i figured what was wrong. the ip list should be written in this format:

    acl TRUSTED src 127.0.0.1
    acl TRUSTED src 62.60.128.0/17
    acl TRUSTED src 62.193.0.0/19
    acl TRUSTED src 62.220.96.0/19
    acl TRUSTED src 77.36.128.0/17
    acl TRUSTED src 77.77.64.0/18
    acl TRUSTED src 77.104.64.0/18
    acl TRUSTED src 77.237.64.0/19
    acl TRUSTED src 77.237.160.0/19
    acl TRUSTED src 77.245.224.0/20
    acl TRUSTED src 78.38.0.0/15
    acl TRUSTED src 78.109.192.0/20
    acl TRUSTED src 78.110.112.0/20
    acl TRUSTED src 78.111.0.0/20
    acl TRUSTED src 78.154.32.0/19
    acl TRUSTED src 78.157.32.0/19
    acl TRUSTED src 78.158.160.0/19
    acl TRUSTED src 79.127.0.0/17
    acl TRUSTED src 79.132.192.0/19
    acl TRUSTED src 79.170.144.0/21
    acl TRUSTED src 79.175.128.0/18
    acl TRUSTED src 80.66.176.0/20
    acl TRUSTED src 80.69.240.0/20
    acl TRUSTED src 80.71.112.0/20
    acl TRUSTED src 80.75.0.0/20
    acl TRUSTED src 80.191.0.0/16
    acl TRUSTED src 80.242.0.0/20
    acl TRUSTED src 80.253.128.0/20
    acl TRUSTED src 80.253.144.0/20
    acl TRUSTED src 81.12.0.0/17
    acl TRUSTED src 81.28.32.0/20
    acl TRUSTED src 81.28.48.0/20
    acl TRUSTED src 81.31.160.0/20
    acl TRUSTED src 81.31.176.0/20
    acl TRUSTED src 81.90.144.0/20
    acl TRUSTED src 81.91.128.0/20
    acl TRUSTED src 81.91.144.0/20
    acl TRUSTED src 82.99.192.0/18
    acl TRUSTED src 82.115.0.0/19
    acl TRUSTED src 83.147.192.0/18
    acl TRUSTED src 84.47.192.0/18
    acl TRUSTED src 84.241.0.0/18
    acl TRUSTED src 85.9.64.0/18
    acl TRUSTED src 85.15.0.0/18
    acl TRUSTED src 85.133.128.0/17
    acl TRUSTED src 85.185.0.0/16
    acl TRUSTED src 85.198.0.0/18
    acl TRUSTED src 86.109.32.0/19
    acl TRUSTED src 87.107.0.0/16
    acl TRUSTED src 87.247.160.0/19
    acl TRUSTED src 87.248.128.0/19
    acl TRUSTED src 89.144.128.0/18
    acl TRUSTED src 89.165.0.0/17
    acl TRUSTED src 89.221.80.0/20
    acl TRUSTED src 89.235.64.0/18
    acl TRUSTED src 91.98.0.0/15
    acl TRUSTED src 91.184.64.0/19
    acl TRUSTED src 91.186.192.0/19
    acl TRUSTED src 91.206.122.0/23
    acl TRUSTED src 91.208.165.0/24
    acl TRUSTED src 91.209.242.0/24
    acl TRUSTED src 91.212.16.0/24
    acl TRUSTED src 91.212.19.0/24
    acl TRUSTED src 91.212.252.0/24
    acl TRUSTED src 92.42.48.0/21
    acl TRUSTED src 92.50.0.0/18
    acl TRUSTED src 92.61.176.0/20
    acl TRUSTED src 92.62.176.0/20
    acl TRUSTED src 93.110.0.0/16
    acl TRUSTED src 93.190.24.0/21
    acl TRUSTED src 94.74.128.0/18
    acl TRUSTED src 94.101.128.0/20
    acl TRUSTED src 94.101.176.0/20
    acl TRUSTED src 94.101.240.0/20
    acl TRUSTED src 94.139.160.0/19
    acl TRUSTED src 94.182.0.0/15
    acl TRUSTED src 94.184.0.0/17
    acl TRUSTED src 94.232.168.0/21
    acl TRUSTED src 94.241.128.0/18
    acl TRUSTED src 95.38.0.0/16
    acl TRUSTED src 95.80.128.0/18
    acl TRUSTED src 95.81.64.0/18
    acl TRUSTED src 95.82.0.0/18
    acl TRUSTED src 95.82.64.0/18
    acl TRUSTED src 95.130.56.0/21
    acl TRUSTED src 95.130.240.0/21
    acl TRUSTED src 188.34.0.0/16
    acl TRUSTED src 188.93.64.0/21
    acl TRUSTED src 188.121.96.0/19
    acl TRUSTED src 188.121.128.0/19
    acl TRUSTED src 188.136.128.0/17
    acl TRUSTED src 188.158.0.0/15
    acl TRUSTED src 193.189.122.0/23
    acl TRUSTED src 194.225.0.0/16
    acl TRUSTED src 195.146.32.0/19
    acl TRUSTED src 212.16.64.0/19
    acl TRUSTED src 212.33.192.0/19
    acl TRUSTED src 212.50.224.0/19
    acl TRUSTED src 212.80.0.0/19
    acl TRUSTED src 212.95.128.0/19
    acl TRUSTED src 212.120.192.0/19
    acl TRUSTED src 213.176.0.0/19
    acl TRUSTED src 213.176.32.0/19
    acl TRUSTED src 213.176.64.0/18
    acl TRUSTED src 213.195.0.0/18
    acl TRUSTED src 213.207.192.0/18
    acl TRUSTED src 213.217.32.0/19
    acl TRUSTED src 213.233.160.0/19
    acl TRUSTED src 217.11.16.0/20
    acl TRUSTED src 217.24.144.0/20
    acl TRUSTED src 217.25.48.0/20
    acl TRUSTED src 217.64.144.0/20
    acl TRUSTED src 217.66.192.0/20
    acl TRUSTED src 217.66.208.0/20
    acl TRUSTED src 217.146.208.0/20
    acl TRUSTED src 217.172.96.0/19
    acl TRUSTED src 217.174.16.0/20
    acl TRUSTED src 217.218.0.0/15

    http_access allow TRUSTED

    ———-
    you should probably add your own local ip – so you can test the availability of the proxy (with help of the client which can be launched via the terminal: /Applications/Squid/bin/squidclient ).

    ( PS @admin -> I accidently posted this comment to the windows thread in first place, sorry for that )

  • Jacob

    Can someone confirm my personal computer files and whatnot will be safe using the above directions? I don’t know anything about proxies but want to loan my IP to people in Iran and help out in whatever little way I can. Thanks!

  • Pingback: Noli Irritare Leones » Blog Archive » Iran protester cyber assistance (#iranelection)

  • Pingback: Helfen Sie, die iranische Zensur zu umgehen! « MARGINAL CHECK

  • Pingback: Juice The Blog » Blog Archive » Foreign Journalist Crackdown

  • michael

    i was good up to opening the terminal, but when it prompts for password, i can’t type anything… no characters. any tips?

  • Morten Vine

    I get two errors when i try this:

    “aclParseIpData: WARNING: Netmask masks away part of the specified IP in ’192.168.0.0/8′

    and then

    Creating Swap Directories
    FATAL: Failed to make swap directory /Applications/Squid/var/cache/00: (13) Permission denied
    Squid Cache (Version 2.5.STABLE10): Terminated abnormally.

    Please help us! We want to help the Iranian people by setting up proxies they desperately need but can’t understand how Squid works! Many people are not technical but still want to help. Can you post a ready-made config file? Or a precompiled program that can do this out of the box?

    Thank you for your work on this which is really great, but we just need the final 10% in order to really help them, otherwise nobody will be able to do it.

  • K

    I get the same errors as Morten Vine.

  • http://www.austinheap.com/ Austin

    Go into terminal and type

    sudo mkdir -p /Applications/Squid/var/cache/00
    sudo chmod 777 /Applications/Squid/var/cache /Applications/Squid/var/cache/00

    Hopefully that works! I’ve never seen that error though

  • ayuda

    Are we leaving the default port of 3128 ? I see others are requiring changing this.

  • ayuda

    Also, how can we email you the IP, not finding an email for you. Thanks.

  • olli

    1.

    For people wondering about the terminal instructions:

    You will find the Terminal application in Your Applications/Utilities directory.

    Open it to get to a command line, that can give Unix the instructions provided.

    Make sure you copy properly!

    2.

    For people wondering about the security of their computer: proxyservers are just a kind of relay station for people who need it. There is not a direct risk involved.

    It might help to know how It works:
    #Iranelection folks want to go to their desired blocked website, and ar enot able to.
    They get a relay trough a proxy server, provided by Austin. They setup their browser/whole system to use the provided proxyserver. Then any website request (and other protocols if necessary) are sent to the proxy server, which will initiate the connection to the blocked website. The connection gets established and the person gets the content trough the proxyserver that forwards all the blocked stuff to #iranelection folks.

    But, as always when running a server: have a proper firewall set up. If you are behind a router set it up as dns for your local network, prefer individual port forwarding settings to a default dmz server, and check your logs from time to time.

    I have a router, with dns server for my local computers. I have ports forwarded from default port numbers to internal random port numbers, have firewall in stealth mode, and I’m as safe as could be!

    But I do back up regularly in case…

  • olli
  • olli

    workin on a ready made package for OS X users!

  • olli

    also not in the tutorial above:
    you’ll need to fill in the http_port line with your 10 ports, “You may specify multiple socket addresses on multiple lines”

    Check the top of the config file,
    You should have something like this:

    http_port 1
    http_port 2
    http_port 3
    http_port 4

    etc… and off course, replace 1,2,3 and 4 by random port numbers!

  • http://blogs.myspace.com/charmedguy18 Cavin G.

    Okay so I’m done with the terminal, and I still don’t know if it works. I suppose I will just send it.

  • olli

    I agree with the logging disablement not being necessary at all. By adding the following line (I have it above the portnumbers):

    client_netmask 0.0.0.0

    This way logging is done like this (I paste from my log)

    1245627093.320 7014 0.0.0.0 TCP_MISS/302 424 GET http://…(edited)…
    1245627095.569 2202 0.0.0.0 TCP_MISS/200 4765 GET http://…(edited)…
    1245627095.891 378 0.0.0.0 TCP_MISS/200 13657 GET http://…(edited)…
    1245627095.986 473 0.0.0.0 TCP_MISS/200 124465 GET http://…(edited)…

    All proxy clients are reported to as 0.0.0.0

    ————–

    If you don’t have a static IP, use dyndns (http://dyndns.org) or no-ip (http://www.no-ip.com/)

    This way you direct an url to your home ip that gets updated from within your computer.

    Unless they block all the available domain types (a lot at dyndns)

    Check it out!
    —————

    Take your time setting things up!

    I’ll be posting an easy-to-edit config file tomorrow, including all relevant tips all around the blog here. And I’ll be packing a step-by-step for OSX as I said. (just gotta fix a launchdaemon)

  • limmershin

    thanks olli!
    I’m waiting for your easy-to-edit config file, as I’m dying to help, but terribly numb in all this proxy stuff…

  • jane smith

    oh my gosh, it finally works!!!
    thank you austin and olli, your combined efforts got me up and running.

    michael: re: password – it looks like nothing is happening when you type but it is actually getting it, just type it correctly and it will go through

    question: when my computer is asleep will the squid thingy still be able to run?

  • limmershin

    this is the error i keep getting with the updated config file:
    2009/06/23 20:03:51| parseConfigFile: line 298 unrecognized: ‘cache deny all’
    2009/06/23 20:03:51| parseConfigFile: line 301 unrecognized: ‘access_log /dev/null’

    (i got also the swapdirectories error, but it was fixed by the commands posted by austin)

    hope you can give me some advice

    thanks

  • limmershin

    and this is the error i keep getting using the original squid.conf with modifications

    aclParseIpData: WARNING: Netmask masks away part of the specified IP in ’192.168.0.0/8′

    (no swapdirectories problem)

    thank you

  • jane smith

    limmershin – i got those same two errors with the updated config file. i just deleted those two lines and hoped they weren’t too important. and then it worked.

  • limmershin

    jane – thanks. I deleted the lins and it doesn’t give errors anymore. It continues to fail the Proxyheap test though. For sure some problem with firewall etc from my ISP. DOH!

  • sc

    Squid set up fine; getting “fatal error: couldn’t connect to host” at proxychecker. Thoughts?

  • olli

    There’s been setup posted here:

    http://blog.austinheap.com/2009/06/22/state-of-the-iran-proxies/

    since it was there, I thought to wait to release something. Sorry for the time it is taking, but I want a proper and easy to set up solution for the Mac-fellows.

    I’m sorry to say so, but I’d really like it to be easier to browse around here, as all the info is in blog posts.

    In the meantime you can post your mac installation questions to a dedicated mail address:

    [email protected]

    but please use the browsing tips first to collect you info:

    1. Try to take a look around the posts on this blog, as the essential info is a bit scattered around.
    Check the bottom of each page here to click to a next or previous post. You will encounter some medical tips, but just click trough …

    2. use the rss page feed://blog.austinheap.com/feed/ and make sure you can have an over view of 20 posts or so.

    I am not part of this website, so I cannot change the setup here.

    So long!

  • olli

    To conclude this post: check this page on this blog, it has a config file ready to be edited. And do know the haystack phenomenon is the new initiative.

    http://blog.austinheap.com/building-the-stack/

    I don’t know if any proxies of the kind talked about here are in use for the haystack network, and if setting up those is a concern in the future. If so, I want to provide serious help towards the Mac community, for simplifying things. Austin, if you read me, take direct contact to work communicate and work on this together.

  • olli

    sorry, the link for the config and squid setup guide: http://blog.austinheap.com/2009/06/22/state-of-the-iran-proxies/

  • http://veryacom.co.cc/http://veryceft.co.cc/http://verycelex.co.cc/http://verycleo.co.cc/http://verydifl.co.cc/http://veryelav.co.cc/http://veryhytr.co.cc/http://veryimit.co.cc/http://verylexa.co.cc/h Marcelinea

    Hi everyone
    I would like to present interesting site:
    acomplia online [url=http://veryacom.co.cc/]acomplia overnight[/url] ceftin oral [url=http://veryceft.co.cc/]ceftin prices[/url] celexa prescription [url=http://verycelex.co.cc/]celexa toronto[/url] cleocin pharmacy [url=http://verycleo.co.cc/]cleocin sale[/url] diflucan medikament [url=http://verydifl.co.cc/]diflucan oral[/url] elavil drug [url=http://veryelav.co.cc/]elavil doctor[/url] hytrin order [url=http://veryhytr.co.cc/]hytrin medikament[/url] imitrex online [url=http://veryimit.co.cc/]imitrex generic[/url] lexapro drug [url=http://verylexa.co.cc/]lexapro sale[/url] prednisone espana [url=http://verypred.co.cc/]prednisone prezzo[/url] remarin discount [url=http://veryprem.co.cc/]remarin generic[/url] prevacid prezzo [url=http://veryprev.co.cc/]prevacid online[/url] sustiva prescription [url=http://verysust.co.cc/]sustiva uk[/url] testosterone purchase [url=http://verytest.co.cc/]testosterone espana[/url] topamax buy [url=http://verytopa.co.cc/]topamax prezzo[/url] viramune prescription [url=http://veryvira.co.cc/]viramune oral[/url] xenical rezept [url=http://veryxeni.co.cc/]xenical toronto[/url] zyban espana [url=http://veryzyba.co.cc/]zyban doctor[/url] zyloprim prescription [url=http://veryzylo.co.cc/]zyloprim overnight[/url] zyprexa effects [url=http://veryzypr.co.cc/]zyprexa uk[/url]
    To greet!
    Bye