Haystack needs your help to support a free Internet in Iran!
15
Jun

How to setup a proxy for Iran citizens

Update 4: There is now a recommended squid config file available.
Update 3: Here’s a guide for the Windows users out there.
Update 2: I will no longer posting proxies on the public list. If you set one up, please e-mail me@austinheap.com to contribute to the private one or e-mail me if your an Iranian that needs access!
Update: There’s a list of working Iran proxy servers over here.

If you’re using CentOS/Redhat, it’s pretty straight forward to setup a proxy and help give access to those in Iran who are being censored.

Login as root and run the following

yum install squid
nano -w /etc/squid/squid.conf

Inside the code editor search (Control-W) for the line “http_access deny all” and change it to “http_access allow all”. This will make your proxy open and accessible to the world. If you would like to limit your proxy to Iranian IP blocks, you want to change “http_access deny all” to read “http_access allow TRUSTED” add a line (BEFORE the http_access line to setup an access control list [ACL]). This ACL line that defines TRUSTED should read:

acl TRUSTED src 62.60.128.0/17 62.193.0.0/19 62.220.96.0/19 77.36.128.0/17 77.77.64.0/18 77.104.64.0/18 77.237.64.0/19 77.237.160.0/19 77.245.224.0/20 78.38.0.0/15 78.109.192.0/20 78.110.112.0/20 78.111.0.0/20 78.154.32.0/19 78.157.32.0/19 78.158.160.0/19 79.127.0.0/17 79.132.192.0/19 79.170.144.0/21 79.175.128.0/18 80.66.176.0/20 80.69.240.0/20 80.71.112.0/20 80.75.0.0/20 80.191.0.0/16 80.242.0.0/20 80.253.128.0/20 80.253.144.0/20 81.12.0.0/17 81.28.32.0/20 81.28.48.0/20 81.31.160.0/20 81.31.176.0/20 81.90.144.0/20 81.91.128.0/20 81.91.144.0/20 82.99.192.0/18 82.115.0.0/19 83.147.192.0/18 84.47.192.0/18 84.241.0.0/18 85.9.64.0/18 85.15.0.0/18 85.133.128.0/17 85.185.0.0/16 85.198.0.0/18 86.109.32.0/19 87.107.0.0/16 87.247.160.0/19 87.248.128.0/19 89.144.128.0/18 89.165.0.0/17 89.221.80.0/20 89.235.64.0/18 91.98.0.0/15 91.184.64.0/19 91.186.192.0/19 91.206.122.0/23 91.208.165.0/24 91.209.242.0/24 91.212.16.0/24 91.212.19.0/24 91.212.252.0/24 92.42.48.0/21 92.50.0.0/18 92.61.176.0/20 92.62.176.0/20 92.242.192.0/19 93.110.0.0/16 93.190.24.0/21 94.74.128.0/18 94.101.128.0/20 94.101.176.0/20 94.101.240.0/20 94.139.160.0/19 94.182.0.0/15 94.184.0.0/17 94.232.168.0/21 94.241.128.0/18 95.38.0.0/16 95.80.128.0/18 95.81.64.0/18 95.82.0.0/18 95.82.64.0/18 95.130.56.0/21 95.130.240.0/21 188.34.0.0/16 188.93.64.0/21 188.121.96.0/19 188.121.128.0/19 188.136.128.0/17 188.158.0.0/15 193.189.122.0/23 194.225.0.0/16 195.146.32.0/19 212.16.64.0/19 212.33.192.0/19 212.50.224.0/19 212.80.0.0/19 212.95.128.0/19 212.120.192.0/19 213.176.0.0/19 213.176.32.0/19 213.176.64.0/18 213.195.0.0/18 213.207.192.0/18 213.217.32.0/19 213.233.160.0/19 217.11.16.0/20 217.24.144.0/20 217.25.48.0/20 217.64.144.0/20 217.66.192.0/20 217.66.208.0/20 217.146.208.0/20 217.172.96.0/19 217.174.16.0/20 217.218.0.0/15

Turn off logging by adding these two lines:

access_log none
cache_store_log none

Save the config file and as root issue the following command to start the Squid proxy server:

service squid start

Please don’t run this on a machine that you’re worried about or is used for production sites; and take basic security precautions, ie: moving SSH off the default port, using iptables, etc.

Once your server is up and running please tweet @austinheap and let me know!

Related posts:

  1. How to setup a proxy for Iran citizens (for Windows!)
  2. How to setup a proxy for Iran citizens (Virtual Machine Disk Format!)
  3. How to setup a proxy for Iran citizens (for Mac!)
  4. Working Iran Proxy List
  5. Best Proxy Practices (BPP!) and an update
Tags Posted under Internets, Iran, Politics, Technology by Austin

102 Responses


  • if you know any member of “Anonymous” please ask them to support our [iran's] internet!

    by: me, Jun 15th at 3:25 pm

  • Please let tweeters know to tweet directly to @StopAhmadi – DO NOT USE #iranelection TAG!! – http://twitter.com/StopAhmadi/status/2182259594

    by: minachica, Jun 15th at 3:28 pm

  • how to do on ubuntu?

    by: iranhelp, Jun 15th at 3:29 pm

  • You can use Apache’s mod_proxy as well; if anybody needs help setting it up, please tweet me @chowbok. I started to write directions but there are too many local difference in Apache setups.

    by: Kim Scarborough, Jun 15th at 4:21 pm

  • How do I do it on a Mac?

    by: Jim, Jun 15th at 5:27 pm

  • Two questions (I am not a regular Twitter user, but would like to help):

    What incoming/outgoing ports need to be open?

    How can I test that it is working?

    Thanks,

    D

    by: dw, Jun 15th at 5:51 pm

  • For Squid setup on Ubuntu, see: http://www.ubuntugeek.com/how-to-setup-transparent-squid-proxy-server-in-ubuntu.html

    @Austin: Squid proxies are nice, SOCKS5 proxies are nicer :) .

    All your government are belong to us!

    by: enpers, Jun 15th at 6:29 pm

  • I will gladly do this but 1) I am on OS X and these commands do not work and 2) I am behind a router and need to know which ports should be opened/forwarded.

    by: 42, Jun 15th at 8:21 pm

  • How to set up a MacOSX proxy:

    1) install squid using macports: ‘sudo port install squid’

    2) edit squid.conf: ‘sudo pico /opt/local/etc/squid/squid.conf’, adding
    the same http_access lines as described on this page.

    3) start the service: ‘sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist’

    by: Anonymous, Jun 15th at 9:15 pm

  • On MacOS X, squid can be installed via darwin ports:
    http://squid.darwinports.com/

    by: MacUser, Jun 15th at 9:49 pm

  • I’ve been going around suggesting TOR but I still haven’t heard if it’s already blocked by the Iranian government. Can anyone confirm? If it works it could be a valid (and secure) alternative to proxies.

    by: LVL_99, Jun 15th at 9:51 pm

  • to get squid working for ubuntu, I followed jimmyjames:

    http://www.mahalo.com/answers/linux/im-using-ubuntu-810-how-do-i-block-all-websites-except-a-few

    1. sudo apt-get install squid
    2. sudo pico /etc/squid/squid.conf
    3. add ‘visible_hostname foo’ where ‘foo’ is your machine’s hostname (i.e. the part following ‘userid@’ in your terminal prompt)
    4. follow Austin’s instructions above for ACL
    5. Close and save
    6. type ‘sudo adduser squid’ and specify a password
    7. Restart squid by typing: ‘/etc/init.d/squid restart’
    8. Stop the service by typing ‘/etc/init.d/squid stop’
    9. Test it in debug mode by typing ‘squid -z’ (which creates the cache files)
    10. Type ‘squid -NCd10′ to test squid in debug mode and leave it running.
    11. Open Firefox and type the URL localhost:3128 It will fail to retrieve a page, but at the bottom it will confirm that the error is generated by squid.
    12. Back at the Terminal type CTRL-C to cancel the debug mode
    13. Start squid for real with ‘/etc/init.d/squid start’. It will start automatically from now on.

    by: rec, Jun 15th at 10:26 pm

  • For ubuntu/debian:

    sudo apt-get install squid
    sudo gedit /etc/squid/squid.conf

    change “http_access deny all” to “http_access allow all”
    add “access_log none” and “cache_store_log none”

    sudo /etc/init.d/squid restart

    by: Aurix, Jun 15th at 11:08 pm

  • Need help !! I have an 100mbit down 10mbit up private internet connection with a IPcop router with dyndns and want to configure it as an proxy for Iran but don#t really what i have to change in the config .. thx for any help .. dm me at twitter twitter.com/discocheese

    by: discocheese, Jun 16th at 9:25 am

  • Great information! Just had to say that…

    by: Silje, Jun 16th at 9:32 am

  • Um, this doesn’t work if the computer is behind a Nat. Seems like you would want to mention this, so you could save some people some time trying something that won’t work. That is unless you know how to open up the ports on the device your Nat is running on.

    by: Hari, Jun 16th at 9:57 am

  • I think I’ve got it going on Ubuntu – how do you tell if it’s working?

    by: Ben, Jun 16th at 1:13 pm

  • Dose anyone know why twitter is down?

    by: Faryad, Jun 16th at 4:10 pm

  • Faryad: it was planned maintenance; they’d actually switched times to move it out of iran timezone

    by: Sara, Jun 16th at 6:43 pm

  • 208.58.210.121

    running IRAN proxy currently… will try to keep up as long as possible

    by: anonymous, Jun 16th at 6:57 pm

  • Um, is there any way for us non-professional hackers to do this on Ubuntu? (And can someone tell me exactly what setting up a proxy is supposed to do in this case?)

    by: humanist, Jun 16th at 8:30 pm

  • I just set this up on FreeBSD (7-STABLE) using squid30 from the ports tree. Just install the port in which ever manner you like, and configure as specified. Be sure to follow the pkg-message information for initializing squid.

    On the FreeBSD installation /usr/local/etc/squid/ is root:squid 750, so you may need to just

    sudo -s

    before you can really work there.

    Also be sure to open up TCP port 3128 (or other if you configure squid to listen on another port) on any firewalls in the way.

    Finally, I had a weird problem with the pasted ACL declaration. I suspect some funky characters got added in the copy and paste operation. Eventually I put the nets for the ACL in a separate file (each on a line by themselves) and used

    acl PERSIA src “/usr/local/etc/squid/persia-acl”

    as the declaration. See the squid documentation for this “file” specification. The file name must be in quotes and I found that I needed to specify the full path.

    Note that I also changed “TRUSTED” to “PERSIA” in both the ACL declaration and in the http_access statement.

    by: Jeffrey Goldberg, Jun 16th at 9:36 pm

  • Ben: To test, see if you can telnet to the port squid is listening to
    from outside your machine’s network (default port 3128).

    by: Skip, Jun 16th at 10:02 pm

  • To set additional ports for the proxy to listen on use multiple

    http_port

    lines in the configuration file. My file now includes

    http_port 3128
    http_port 2831

    On FreeBSD + squid30 at least it is a pain to use any port below 1024. Squid apparently drops root very soon after start up. I’m looking at this issue now. (Since I think that using FTP and Gopher ports would make blocking harder)

    by: Jeffrey Goldberg, Jun 16th at 10:16 pm

  • Hello,

    I’d just want to ask: How do you know the newly created proxies don’t get filtered by the Iranian government?

    Is there kind of a system to pass proxies in private to thos who really need them, so they can spread them by mouth?

    If you publish these for the good cause, those of the bad cause can also do the necessary to block IP’s, or am I wrong??

    Also: altenative for twitter would be a must, I don’t twit, and I don’t facebook, I have proper human relationships… But I waqnt to contribute…

    by: olli, Jun 17th at 1:44 am

  • I have created a working Squid proxy (through a port-forwarded NAT) and first tested it from outside, then limited it to the ACL list above.

    For security, I checked that SSH, IPP (printer), http:80 are disabled. Other than Squid, only privoxy and tor-socks are listening.

    However, this is a personal computer and I’m neither sure how much load it can take nor how vulnerable it is to attackers. Assuming the Iranian authorities acquire a list of proxies, can they launch a DOS attack (or worse) against us? What’s the worst that can happen? Just something I’d like to know before I publish it. Thanks!

    by: Arancaytar, Jun 17th at 6:40 am

  • I don’t see why you recommend turning off logging. Presumably no one outside Iran will try to get the logs to go after dissidents. But if someone were to use the proxy for a nefarious, illegal purpose, I would want a log, as it would be my IP on the hook for it.

    by: Joe, Jun 17th at 6:55 am

  • Another way you can help is to use Psiphon. More info is available here.

    http://www.psiphon.ca/

    by: Gino, Jun 17th at 7:58 am

  • The box I’d like to make available is not running DNS services and is available through dyndns dynamic name. How would I determine the string to be used for the visible_hostname? Is this the URL established with dyndns?

    by: chernevik, Jun 17th at 10:06 am

  • Vive AHMADI NAJAD
    En avant Ahmadi Najad
    I love you Ahmadi

    by: stop à l'ingérence !!!, Jun 17th at 10:17 am

  • Stop interfering in the affairs of Iran

    by: stop à l'ingérence !!!, Jun 17th at 10:20 am

  • Can you please grab the IP addresses of these supporters of the short tyrant so we can start blocking them?

    by: Rarian Rakista, Jun 17th at 8:28 pm

  • tnx guys for ur support,
    we all apritiate that

    by: k-from-iran, Jun 18th at 2:50 am

  • n twitter is down in iran

    by: k-from-iran, Jun 18th at 2:51 am

  • French instructions to set up Squid on Fedora/Red Hat here :

    http://werk.feub.net/2009/06/18/squid-pour-liran/

    by: fabien, Jun 18th at 7:22 am

  • I set up Squid on a computer running Ubuntu. That computer is behind a router. Should I configure my router to forward port 3128 to the computer running Squid? Or should I forward traffic from port 80 to the computer running Squid?

    by: Jim, Jun 18th at 7:27 am

  • not to sound curmudgeonly, but really folks, if you don’t know how to set up a proxy server, you probably shouldn’t be setting one up — it’s just an invitation to get hacked and/or compromise the security of those people using your proxy.

    by: curmudgeon, Jun 18th at 10:05 am

  • there is a problem in your TRUSTED ACL :
    you allow 194.225.0.0/16 but it contains the iran ministry of culture : inetnum: 194.225.164.0 – 194.225.165.255

    I think your trusted ACL have all the same error.
    I have checked only with the ministry of culture but if it is allowed it means that other ministry are in your trusted list too

    by: citoyenlambda, Jun 18th at 1:52 pm

  • Um, we’re just (trying to) offer support to people in Iran who feel (correctly in our opinion) disenfranchised. I do not see that this is necessarily a bad thing just because the people we’re trying to help are people YOU have political differences with.

    by: humanist, Jun 18th at 2:30 pm

  • hi guys, great job!
    has anyone already succeeded in running that stuff plus maybe a tor-relay on an embedded linux router? would be nice because the router is running 24/7 anyway and no additional hardware is needed
    greets

    by: joe, Jun 18th at 5:30 pm

  • PK confirm instruction re. Twitter

    by: John, Jun 18th at 6:36 pm

  • If you are Iranian and can’t access to some web sites, you can access to them by using public proxy servers out there. Search a keyword like “free proxy.” In your browser, go to the properties, perferences, or options, find Advanced, then click network. Normally, there is a button like Settings. Click it. Next, click something like Manual proxy configuration. At the HTTP Proxy, type in the IP address of a public proxy server and its port number. Some of proxy server don’t work, so try several proxy servers.

    by: Hiro, Jun 18th at 8:12 pm

  • Should be up and running for Iranians only at 82.17.172.143 port 3128.

    by: michael, Jun 19th at 6:11 am

  • for those who would like to ban IRAN Ministry from using their proxy
    (like Austinheap suggests) I have made an acl that you can deny prior to accept trusted.

    here is the acl :
    acl IRANMINISTRY src 194.225.164.0/23 213.176.19.0/26 213.176.74.0/23 217.172.104.0/21 217.172.112.0/22 217.172.120.0/21 217.172.96.0/22 217.24.144.0/20 84.47.212.0/21 84.47.220.0/22 84.47.251.0/21

    the acl is based on the post by Austinheap :
    http://blog.austinheap.com/2009/06/17/best-proxy-practices-bpp-and-an-update/

    all ip blocks described in his reference :
    “[1] Based on ripe data found on RIPE”
    are aggregated in this acl

    remember to use it like indicated below in squid.conf

    acl IRANMINISTRY …(the whole above IRANMINISTRY acl)
    acl TRUSTED … (the whole above TRUSTED acl)
    http_access deny IRANMINISTRY
    http_access allow TRUSTED

    by: citoyenlambda, Jun 19th at 2:22 pm

  • I restarted squid with my conf, I had this :

    * Restarting Squid HTTP proxy squid 2009/06/19 23:28:19| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ’84.47.212.0/21′
    2009/06/19 23:28:19| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ’84.47.251.0/21′
    2009/06/19 23:28:19| parseConfigFile: squid.conf:940 unrecognized: ‘ssl_engine’
    [ OK ]

    1) ssl_engine off issue :

    I removed the following line because there is a comment that says that :

    # Note: This option is only available if Squid is rebuilt with the
    # –enable-ssl option

    => I understand you DM must be on windows but not on linux

    2) aclParseIpData: WARNING: Netmask masks away part of the specified IP in

    impossible to find a squid doc detailling what it means

    I don’t understand those people developping software with warnings but not
    documenting them !

    help some one

    by: citoyenlambda, Jun 19th at 5:11 pm

  • 2009/06/19 23:28:19| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ‘84.47.251.0/21′

    try changing the netmask to /24, or the IP to 84.47.248.0.

    by: The Internet, Jun 19th at 6:12 pm

  • citoyenlambda:

    The warnings are quite plain. If it weren’t for the extremely unique political situation, I’d say if you don’t know how IP addressing works, you have no business setting up proxy servers. However, I understand and applaud peoples efforts to help.

    Please don’t blame the software developers for what you don’t understand. Thousands of hours of effort have gone into creating, and documenting Squid, and it’s free availability is what is allowing the channels of communication to stay open.

    Learn about subnets here:
    http://en.wikipedia.org/wiki/Subnetwork

    – Simian Engineer

    by: SimianEngineer, Jun 19th at 10:06 pm

  • Ok the mistake was mine I’m sorry for that.

    I was tired and I wanted to aggregate 2 /22 in a /21 but t was not possible because the network was not at a correct boundary for that mask, I corrected the iranministry acl, please do not use the previous one, here it is :

    acl IRANMINISTRY src 194.225.164.0/23 213.176.19.0/26 213.176.74.0/23 217.172.104.0/21 217.172.112.0/22 217.172.120.0/21 217.172.96.0/22 217.24.144.0/20 84.47.212.0/22 84.47.216.0/22 84.47.220.0/22 84.47.248.0/22 84.47.252.0/22

    by the way now I now the meaning of the following quid warning :
    WARNING: Netmask masks away part of the specified IP in…

    it means that you have one ip address network with a network and a mask
    and that the network is not at a correct boundary for the mask you have

    for instance with my mistake with 84.47.212.0
    but for a /21 you can only have 84.47.208.0/21 and the next is 84.47.216.0/21

    here is why :
    IP address are 32 bits as a whole, noted A.B.C.D with each of A,B,C,D
    represent 8 bits (4×8 = 32) and are coded from 0 t 255
    /21 network means that 21 left most bits are used for network,
    as a consequence the 32-21 : 11 right most bits of the are used for hosts. It also means by definition that bit 32 to 21 (from right ot left are used for “hosts”.
    it means that all the 4th byte, ie 8 right most bits
    plus the 3 right most bits (8 + 3 =11) of 3rd byte of ip address are use for hosts
    the first bit of the network will be the 4th right most bit of the 3rd right most byte.
    and when the bit is one the 3rd byte value is 2⁽4-1)=2³=8, so as a result
    appart from the first network starting with the 4rth bit at 0 :

    it means valid networks have 3rd bytes boundaries of 8 :
    0,8,16,24,32 etc.

    i e all valid /21 network must have the 3rd right most byte a multiple of 8

    was not the case for me, I corrected it

    by: citoyenlambda, Jun 20th at 5:35 am

  • Note that there are newer posts on this subject. http://blog.austinheap.com/?s=proxy

    I followed a link here and missed some information the first couple times.

    by: Dan Wylie-Sears, Jun 20th at 12:02 pm

1 · 2 ·

Share your comment

Name Your Message
Email Website * We know you have something to say