User:Log Linden/Socks5Viewer/TestPlan/ProxyGateway

From Second Life Wiki
< User:Log Linden‎ | Socks5Viewer‎ | TestPlan
Revision as of 12:58, 27 July 2011 by Log Linden (talk | contribs) (→‎Configure the HTTP proxy: fixed instruction to disable cacheing of fetched items.)
Jump to navigation Jump to search

Introduction

These instructions will help you set up a simple Ubuntu gateway machine that will allow you to control access to the outside network for computers that are operating behind the gateway. This setup was created for testing the SOCKS 5 proxy. With some modification, the same setup could be used for testing various other network conditions, including throttling the connection speed down to something closer to residential DSL speeds. The instructions are intended for someone with a reasonable familiarity with Ubuntu Linux and will only discuss the customisations needed to set up the gateway.

Requirements

Hardware

  • A standard off-the-shelf PC with two Ethernet NICs
  • 1 Ethernet switch for the "internal" network
  • Network cables
  • Other computers to actually test the viewer on.

Software

  • Ubuntu Linux 11.04 (Natty) install media (Other flavors of Ubuntu, including Ubuntu server should work with these instructions as well.)

Instructions

Connect network hardware

  • Connect one network card to the outside network.
  • Connect the other network card to the internal ethernet switch.
  • Connect testing computers to the internal network switch.

SOCKS Testing Network Setup

Install Ubuntu and Packages

  • Install Ubuntu on the gateway machine. Consult the official Ubuntu install instructions for more information.
  • Reboot into the installed system.
  • Update the packages on the system.

<bash> sudo apt-get update sudo apt-get upgrade </bash>

  • Install some additional useful packages that we will need.

<bash> sudo apt-get install dnsmasq dante-server openssh </bash>

Configure Network Interfaces

  • IMPORTANT NOTE: For the purpose of this document, eth0 is the device that is connecting to the outside network, and eth1 is connecting to the internal network. Verify which is which on your setup.

<bash>ifconfig</bash> Chances are, only one of the ethX devices will have been assigned an IP address by your network, this is the one connected to the external network. If this is not eth0 you need to either switch the network cables connected to the computer or remember to swap the interface names everywhere in the rest of this document. We are going to be assigning eth1 with a static IP address, which can cause problems if it conflicts with the rest of your network.

  • Edit, with sudo, '/etc/network/interfaces' and replace its contents with the following

<bash> auto lo eth0 eth1

iface lo inet loopback

  1. External network

iface eth0 inet dhcp

  1. Internal network

iface eth1 inet static

       address 192.168.1.1
       network 192.168.1.0
       netmask 255.255.255.0
       broadcast 192.168.1.255

</bash>

  • This configuration makes eth0 continue to get its configuration through DHCP, and statically configures eth1. Listing both interfaces on the auto line will mean that they will automatically connect on startup.
  • Because we are setting up the interfaces in this config file, we should probably prevent networkmanager from trying to do it as well.

<bash> sudo update-rc.d NetworkManager remove</bash>

  • Restart the network

<bash> sudo /etc/init.d/networking stop sudo /etc/init.d/networking start </bash>

  • Verify the network configuration by looking for the correct IP addresses for eth0 and eth1.

<bash> ifconfig</bash>

Set up DNS and DHCP

  • dnsmasq is a lightweight combination DNS/DHCP server. For the anticipated number of clients for this network, it should be sufficient.
  • Warning: Again, it is important to get the network interfaces correct for this. Running a rogue DHCP server on the wrong interface could cause major network problems. eth1 should be the internal network card.
  • Replace /etc/dnsmasq.conf with the following:

<bash> interface=eth1

dhcp-range=192.168.1.50,192.168.1.150,12h dhcp-authoritative dhcp-script=/bin/echo </bash>

  • Restart dnsmasq

<bash> sudo /etc/init.d/dnsmasq restart </bash>

Set up the Firewall

  • Save the following two scripts to ~/scripts

nat_forward_all.sh

<bash> echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe

EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF"

  1. ======================================================================
  2. == No editing beyond this line is required for initial MASQ testing ==

echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "nf_conntrack, " $MODPROBE nf_conntrack echo -en "nf_conntrack_ftp, " $MODPROBE nf_conntrack_ftp echo -en "nf_conntrack_irc, " $MODPROBE nf_conntrack_irc echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "nf_nat_ftp, " $MODPROBE nf_nat_ftp echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.."

iptables-restore <<-EOF

  • nat

-A POSTROUTING -o "$EXTIF" -j MASQUERADE COMMIT

  • filter
INPUT ACCEPT [0:0]
FORWARD DROP [0:0]
OUTPUT ACCEPT [0:0]

-A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT -A FORWARD -j LOG COMMIT EOF

echo -e "\nrc.firewall-iptables v$FWVER done.\n" </bash>

nat_block_all.sh

<bash> echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe

EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF"

  1. ======================================================================
  2. == No editing beyond this line is required for initial MASQ testing ==

echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "nf_conntrack, " $MODPROBE nf_conntrack echo -en "nf_conntrack_ftp, " $MODPROBE nf_conntrack_ftp echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "nf_nat_ftp, " $MODPROBE nf_nat_ftp echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.."

iptables-restore <<-EOF

  • nat

-A POSTROUTING -o "$EXTIF" -j MASQUERADE COMMIT

  • filter
INPUT ACCEPT [0:0]
FORWARD DROP [0:0]
OUTPUT ACCEPT [0:0]

-A FORWARD -i "$INTIF" -j LOG -A FORWARD -i "$INTIF" -j REJECT COMMIT EOF

echo -e "\nrc.firewall-iptables v$FWVER done.\n" </bash>

  • Make both scripts executable

<bash> chmod a+x ~/scripts/nat_block_all.sh chmod a+x ~/scripts/nat_forward_all.sh </bash>

  • Test the wide-open script. Inspect the output for errors indicating something is wrong.

<bash> sudo ~/scripts/nat_forward_all.sh </bash>

  • If the previous command was successful and you got dns and dhcp configured before, you should be able to connect through your gateway on computers on the internal network.
  • Test this now, by connecting a test computer to the network if you haven't already. Try browsing the web on one of the test machines as a quick test. Use ipconfig /all or ifconfig to see how the test computer is being configured. Expected values are below:
Test Machine Network Parameters
Parameter Expected Value
IP Address 192.168.1.50-192.168.1.150
Subnet Mask 255.255.255.0
Default Gateway 192.168.1.1
Nameserver (DNS Server) 192.168.1.1
  • If everything seems to be working correctly, make the wide-open config run during system startup.

<bash> sudo cp nat_forward_all.sh /etc/init.d/nat.sh sudo ln -s /etc/init.d/nat.sh /etc/rc2.d/S95masquradescript </bash>

Set up the SOCKS 5 proxy

  • Replace /etc/danted.conf with the following.
logoutput: /var/log/dante.log

internal: eth1 port = 1080

external: eth0

method: username none
#the above puts no username or password. Access will instead be controlled via client ip address/range.
#if there is no username or password - then danted socks server needs to run as nobody, i.e.

#user.privileged: proxy
user.notprivileged: nobody


### "client-rules" ###
                
client pass     {
                    from: 192.168.1.0/16 port 1-65535 to: 0.0.0.0/0
                }
                        
client block    {
                    from: 0.0.0.0/0 to: 0.0.0.0/0
                    log: connect error
                }

         
### "socks-rules" ###
        # Block connections to loopback interfaces
block   {
            from: 0.0.0.0/0 to: 127.0.0.0/8
            log: connect error
        }

        # Allow udp reply packets from outside
pass    {
            from: 0.0.0.0/0 to: 192.168.1.0/16
            command: udpreply
        }                                

        # Allow the internal network to connect to everything outside
pass    {
            from: 192.168.1.0/16 to: 0.0.0.0/0
            protocol: tcp udp
        }
    
        # Block anything else
block   {
            from: 0.0.0.0/0 to: 0.0.0.0/0
            log: connect error
        }

  • Start the proxy server

<bash> sudo /etc/init.d/danted restart </bash>

  • If you get a "Failed to open libc.so..." error message when starting the proxy server, this is caused by a mistake in the dante-server debian package. To work around this, create a simlink to the correct libc.so and try to start danted again.

<bash> sudo ln -sf /lib/i386-linux-gnu/libc-2.13.so /lib/i386-linux-gnu/libc.so </bash>

  • Test connecting through the proxy by configuring the web browser on one of the test machines connected through the gateway to use the proxy.
  • Restrict outgoing traffic through the gateway by enabling the more restrictive iptables configuration.

<bash> sudo ~/scripts/nat_block_all.sh </bash>

  • In the proxy options section of the browser, supply 192.168.1.1 as the SOCKS server and 1080 as the port.
  • Attempt to browse to an internet website. If you can browse as usual, the proxy is working correctly.
  • Disable the proxy in the browser.

Set up the HTTP (Web) proxy

Configure the HTTP proxy

  • Edit /etc/squid/squid.conf. We will be editing the existing file instead of replacing it.
  • Look for the following line:
http_port 3128
  • Replace with the following:
http_port 192.168.1.1:3128
cache deny all
  • Look for the following lines:
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
  • Replace with
acl localnet src 192.168.1.0/8  # RFC1918 possible internal network
  • Look for the following line:
acl CONNECT method CONNECT
  • Append two lines to make it be:
acl CONNECT method CONNECT
#       Enable SSL via CONNECT
acl SSL method CONNECT
  • Look for the following line:
http_access allow localhost
  • Append another line after it so that it now looks like this:
http_access allow localhost
http_access allow localnet
  • A patch to do the above:

<diff> --- squid.conf.original 2011-07-11 13:58:12.640564821 -0400 +++ squid.conf 2011-07-13 18:44:17.324652415 -0400 @@ -606,8 +606,6 @@

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

-acl localnet src 10.0.0.0/8 # RFC1918 possible internal network -acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
#
acl SSL_ports port 443         # https

@@ -628,6 +626,8 @@

acl Safe_ports port 901                # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

+# Enable SSL via CONNECT +acl SSL method CONNECT

#  TAG: http_access
#      Allowing or Denying access based on defined access lists

@@ -675,6 +675,8 @@

# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

+http_access allow localnet +

# And finally deny all other access to this proxy
http_access deny all

@@ -1111,8 +1113,9 @@

#      visible on the internal address.
#
# Squid normally listens to port 3128

-http_port 3128 +http_port 192.168.1.1:3128

+cache deny all

#  TAG: https_port
# Note: This option is only available if Squid is rebuilt with the
#       --enable-ssl option

</diff>

  • Restart the squid proxy:

<bash> sudo stop squid sudo start squid </bash>

  • Examine syslog for any errors

<bash> sudo tail /var/log/syslog </bash>

Test the HTTP Proxy

  • Restrict outgoing traffic through the gateway by enabling the more restrictive iptables configuration.

<bash> sudo ~/scripts/nat_block_all.sh </bash>

  • In the proxy options section of the browser on the test machine, supply 192.168.1.1 as the HTTP and HTTPS proxy server with 3128 as the port in both cases.
  • Remove any SOCKS proxy configuration in the browser.
  • Attempt to browse to an internet website. Also try browsing to an https:// website such as https://codereview.secondlife.com. If you can browse as usual, the proxy is working correctly.
  • Disable the proxy in the browser.

Cleanup

  • Reboot the machine, using the graphical menus to reboot or the following command. Verify that everything still works as before.

<bash> sudo shutdown -r now </bash>

  • Note that we left the unrestricted firewall configuration as the default. When the gateway is rebooted, you will need to rerun ~/scripts/nat_blocked_all.sh to restrict connections again. If you would like that to be the default state, copy ~/scripts/nat_blocked_all.sh to /etc/init.d/nat.sh.

Useful References

If you run into difficulties with these instructions, there is more information in the official documentation. I based the configurations in this document mostly from the following sites: