Last active
October 15, 2025 09:14
-
-
Save machacekondra/3678f28ba554f7afdf267de494216834 to your computer and use it in GitHub Desktop.
Testing proxy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PROXY_IP="192.168.1.10" | |
| PROXY_PORT="8888" | |
| # (1) Flush existing rules — careful if remote: | |
| sudo nft flush ruleset | |
| # (2) Create base table and chains | |
| sudo nft add table inet filter | |
| sudo nft 'add chain inet filter input { type filter hook input priority 0 ; }' | |
| sudo nft 'add chain inet filter forward { type filter hook forward priority 0 ; }' | |
| sudo nft 'add chain inet filter output { type filter hook output priority 0 ; }' | |
| # (3) Base accept rules (loopback, established) | |
| sudo nft add rule inet filter input iif lo accept | |
| sudo nft add rule inet filter output oif lo accept | |
| sudo nft add rule inet filter input ct state established,related accept | |
| sudo nft add rule inet filter output ct state established,related accept | |
| # (4) Allow DNS only to proxy (if proxy handles DNS) — optional: | |
| # If proxy resolves DNS itself you can skip DNS rules. If not, allow DNS only to a trusted DNS IP: | |
| # sudo nft add rule inet filter output ip daddr 8.8.8.8 udp dport 53 accept | |
| # sudo nft add rule inet filter output ip daddr 8.8.8.8 tcp dport 53 accept | |
| # (5) Allow outbound TCP/UDP to proxy IP:PORT | |
| sudo nft add rule inet filter output ip daddr $PROXY_IP tcp dport $PROXY_PORT ct state new,established accept | |
| sudo nft add rule inet filter output ip daddr $PROXY_IP udp dport $PROXY_PORT ct state new,established accept | |
| # (6) (Optional) Allow SSH to management host (if remotely administering), otherwise skip | |
| # sudo nft add rule inet filter input ip saddr <MANAGEMENT_IP> tcp dport 22 ct state new,established accept | |
| # (7) Drop everything else (default deny) | |
| sudo nft add rule inet filter output drop | |
| sudo nft add rule inet filter input drop |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM --platform=linux/amd64 alpine:latest | |
| RUN apk add --no-cache tinyproxy | |
| # add config (we'll copy local tinyproxy.conf) | |
| COPY tinyproxy.conf /etc/tinyproxy/tinyproxy.conf | |
| EXPOSE 8888 | |
| CMD ["tinyproxy", "-d", "-c", "/etc/tinyproxy/tinyproxy.conf"] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| User nobody | |
| Group nobody | |
| Port 8888 | |
| Listen 0.0.0.0 | |
| # logging | |
| LogLevel Info | |
| LogFile "/var/log/tinyproxy/tinyproxy.log" | |
| # allow networks (replace 192.168.1.0/24 with your network or use 0.0.0.0/0 for testing only) | |
| Allow 0.0.0.0/0 | |
| # disable via header if you want | |
| ViaProxyName "tinyproxy" | |
| # some other tuning | |
| Timeout 600 | |
| MaxClients 100 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment