State of the Iran Proxies

State of the Iran Proxies

Currently VPNs are one of the safest methods of evading censorship. HMA has hundreds of exit nodes/countries and many ways of accessing their servers.

So there’s been good news and bad news from launching proxyheap. (Btw, you can check it your proxy is working here.)

The good news? We have lots of support! The bad news? There’s a HUGE chunk of proxies misconfigured… rendering them useless. There’s also a bunch of proxies on un-reliable connections — we pass these out to people in Iran and when they’re down, it just makes things harder.

That said, special thanks to r3boot (the original author) and esr (who put all the pieces in place) for putting together a reliable Squid configuration file for those in Iran seeking unfiltered Internet access.

To quote from the config file:

# 0. Do this installation only on a non-essential machine, as the host may be
# targeted for serious denial-of-service or cracking attempts. For maximum
# security, run it inside a virtual machine.
#
# 1. Install squid on your system. You will need to be root for this.
# Under Ubuntu, do "apt-get install squid"
# Under RedHat, Fedora, and Centos do "yum install squid"
# Under Gentoo, do "emerge squid"
# Under OpenBSD, do "pkg_add PKG_PATH=ftp://ftp.openbsd.org/pub/{version}/packages/i386/squid"
# Under FreeBSD, do this:
# wget http://www.squid-cache.org/Versions/v2/2.7/squid-2.7.STABLE6.tar.gz;
# tar zxvf squid-2.7.STABLE6.tar.gz
# cd squid-2.7.STABLE6
# ./configure '--sysconfdir=/etc/squid' '--enable-storeio=diskd,ufs,aufs' '--enable-delay-pools' '--enable-pf-transparent' '--enable-ipf-transparent' '--disable-ident-lookups' '--enable-removal-policies'
# make
# make install
# Under NetBSD, do "cd /usr/ports/www/squid; make install clean"
#
# 2. Red Hat and CentOS only:
# * Edit the iptables via system-config-securitylevel. As root, run
# /usr/bin/system-config-securitylevel
# * Set SELinux: to either Permissive(slightly better) or Disabled.
# Note, this is a crude solution. Someone with more SELinux
# knowledge might be able to write a pass-through rule.
# * Now go into Customize. In Other Ports, set it like this:
# portnum:protocol (eg. 42342:tcp, 42343:tcp, 42344:tcp).
# Do this for all of your nonstandard ports. Hit OK->OK
#
# 3. Replace your squid configuration with this file. It is likely
# to be in /etc/squid/squid.conf, but could be in /etc/squid.conf
# as well.
#
# 4. Fix the "visible_hostname" line in /etc/squid.conf: it should declare
# your machine's hostname (i.e. the part following "userid@" in your
# terminal prompt)
#
# 5. Choose a nonstandard port number to listen on, or better yet
# about a dozen of them. Fix the http_port line in /etc/squid.conf.
# Add more lines as needed.
#
# 6. Specify the IP of a machine where you have login privilages on the
# "acl remote_test" liner below. You will use this to verify that your
# proxy is working, and can remove it afterwards.
#
# 7. Type "sudo adduser squid" and specify a password
#
# 8. Restart squid by typing: "/etc/init.d/squid restart"
#
# 9. Stop the service by typing "/etc/init.d/squid stop"
#
# 10. Test it in debug mode by typing "squid -z" (which creates the cache files)
#
# 11. Type "squid -NCd10" to test squid in debug mode and leave it running.
#
# 12. Open Firefox and type the URL localhost:3128 It will fail to retrieve a
# page, but at the bottom it should confirm that the error is generated
# by squid. (To be extra-sure, re-do this test using one of the
# non-standard ports you declared in step 4.)
#
# 13. Back at the Terminal type CTRL-C to cancel the debug mode
#
# 14. Start squid for real with "/etc/init.d/squid start". It will start
# automatically from now on.
#
# 15. If your squid host is sitting behind a hardware router with firewalling
# capability, you must set up port forwarding of all your nonstandard
# ports to the squid host machine. The procedure for this varies
# depending on your router, but is most likely to involves pointing your
# browser at 192.168.1.1 and navigating to a "Port Forwarding" page.
#
# 16. The easiest way to test that your proxy server is working is to
# use the proxy tester at austinheap.com:
#
# If it says "Fatal error: couldn't connect to host", then your
# squid instance probably isn't running; check for possible fatal
# error in the configuration parse, and if you don't see that make
# sure that you have correctly configured your ruter or firewall
# to pass through packets. If it says "Your proxy is not accepting
# connections from the validation servers.", you're at least
# reaching squid, but your allow/denies aren't right or you
# configuration file doesn't live where you think it does.
#
# 17. Register your proxy server with proxyheap at
#
# You'll have to do this once for each listener port you declared.
# You will receive an email notification from the proxyheap
# verification servers if all is well. Otherwise, email will tell you
# that your server could not be verified and drop the entry from the
# proxyyheap database. Once you are successfully registered,
# the Iranian revolutionaries can begin using your proxy with
# no further action required on your part.
#
# 18. Death threats have already been made against cooperating
# hackers. If you receive such a threat, report it to your local
# police immediately. Do not assume that your cooperation is unknown
# to the Iranian regime or their agents, and do not assume you will
# have warning if they act on their threats. If you are not already
# armed and prepared to defend yourself, fix both of these bugs.

I think this is a very good starting point for getting this effort organized and effective.

Tags Posted under Internets, Iran, Technology by