User:Log Linden/Socks5Viewer/TestPlan/ProxyGateway
Introduction
These instructions will help you set up a simple Ubuntu gateway machine that will allow you to control access to the outside network for computers that are operating behind the gateway. This setup was created for testing the SOCKS 5 proxy. With some modification, the same setup could be used for testing various other network conditions, including throttling the connection speed down to something closer to residential DSL speeds. The instructions are intended for someone with a reasonable familiarity with Ubuntu Linux and will only discuss the customisations needed to set up the gateway.
Requirements
Hardware
- A standard off-the-shelf PC with two Ethernet NICs
- 1 Ethernet switch for the "internal" network
- Network cables
- Other computers to actually run the viewer on.
Software
- Ubuntu Linux 11.04 (Natty) install media (Other flavors of Ubuntu, including Ubuntu server should work with these instructions as well.)
Instructions
Connect network hardware
- Connect one network card to the outside network.
- Connect the other network card to the internal ethernet switch.
- Connect testing computers to the internal network switch.
Install Ubuntu and Packages
- Install Ubuntu on the gateway machine. Consult the official Ubuntu install instructions for more information.
- Reboot into the installed system.
- Update the packages on the system.
<bash> sudo apt-get update sudo apt-get upgrade </bash>
- Install some additional useful packages that we will need.
<bash> sudo apt-get install dnsmasq dante-server openssh </bash>
Configure Network Interfaces
- IMPORTANT NOTE: For the purpose of this document, eth0 is the device that is connecting to the outside network, and eth1 is connecting to the internal network. Verify which is which on your setup.
<bash>ifconfig</bash> Chances are, only one of the ethX devices will have been assigned an IP address by your network, this is the one connected to the external network. If this is not eth0 you need to either switch the network cables connected to the computer or remember to swap the interface names everywhere in the rest of this document. We are going to be assigning eth1 with a static IP address, which can cause problems if it conflicts with the rest of your network.
- Edit, with sudo, '/etc/network/interfaces' and replace its contents with the following
<bash> auto lo eth0 eth1
iface lo inet loopback
- External network
iface eth0 inet dhcp
- Internal network
iface eth1 inet static
address 192.168.1.1 network 192.168.1.0 netmask 255.255.255.0 broadcast 192.168.1.255
</bash>
- This configuration makes eth0 continue to get its configuration through DHCP, and statically configures eth1. Listing both interfaces on the auto line will mean that they will automatically connect on startup.
- Because we are setting up the interfaces in this config file, we should probably prevent networkmanager from trying to do it as well.
<bash> sudo update-rc.d NetworkManager remove</bash>
- Restart the network
<bash> sudo /etc/init.d/networking stop sudo /etc/init.d/networking start </bash>
- Verify the network configuration by looking for the correct IP addresses for eth0 and eth1.
<bash> ifconfig</bash>
Set up DNS and DHCP
- dnsmasq is a lightweight combination DNS/DHCP server. For the anticipated number of clients for this network, it should be sufficient.
- Warning: Again, it is important to get the network interfaces correct for this. Running a rogue DHCP server on the wrong interface could cause major network problems. eth1 should be the internal network card.
- Replace /etc/dnsmasq.conf with the following:
<bash> interface=eth1
dhcp-range=192.168.1.50,192.168.1.150,12h dhcp-authoritative dhcp-script=/bin/echo </bash>
- Restart dnsmasq
<bash> sudo /etc/init.d/dnsmasq restart </bash>
Set up the Firewall
- Save the following two scripts to ~/scripts
nat_forward_all.sh
<bash> echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF"
- ======================================================================
- == No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "nf_conntrack, " $MODPROBE nf_conntrack echo -en "nf_conntrack_ftp, " $MODPROBE nf_conntrack_ftp echo -en "nf_conntrack_irc, " $MODPROBE nf_conntrack_irc echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "nf_nat_ftp, " $MODPROBE nf_nat_ftp echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.."
iptables-restore <<-EOF
- nat
-A POSTROUTING -o "$EXTIF" -j MASQUERADE COMMIT
- filter
- INPUT ACCEPT [0:0]
- FORWARD DROP [0:0]
- OUTPUT ACCEPT [0:0]
-A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT -A FORWARD -j LOG COMMIT EOF
echo -e "\nrc.firewall-iptables v$FWVER done.\n" </bash>
nat_block_all.sh
<bash> echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF"
- ======================================================================
- == No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "nf_conntrack, " $MODPROBE nf_conntrack echo -en "nf_conntrack_ftp, " $MODPROBE nf_conntrack_ftp echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "nf_nat_ftp, " $MODPROBE nf_nat_ftp echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.."
iptables-restore <<-EOF
- nat
-A POSTROUTING -o "$EXTIF" -j MASQUERADE COMMIT
- filter
- INPUT ACCEPT [0:0]
- FORWARD DROP [0:0]
- OUTPUT ACCEPT [0:0]
-A FORWARD -i "$INTIF" -j LOG -A FORWARD -i "$INTIF" -j REJECT COMMIT EOF
echo -e "\nrc.firewall-iptables v$FWVER done.\n" </bash>
- Make both scripts executable
<bash> chmod a+x ~/scripts/nat_block_all.sh chmod a+x ~/scripts/nat_forward_all.sh </bash>
- Test the wide-open script. Inspect the output for errors indicating something is wrong.
<bash> sudo ~/scripts/nat_forward_all.sh </bash>
- If the previous command was successful and you got dns and dhcp configured before, you should be able to connect through your gateway on computers on the internal network.
- Test this now, by connecting a test computer to the network if you haven't already. Try browsing the web on one of the test machines as a quick test. Use ipconfig /all or ifconfig to see how the test computer is being configured. Expected values are below:
Parameter | Expected Value |
---|---|
IP Address | 192.168.1.50-192.168.1.150 |
Subnet Mask | 255.255.255.0 |
Default Gateway | 192.168.1.1 |
Nameserver (DNS Server) | 192.168.1.1 |
- If everything seems to be working correctly, make the wide-open config run during system startup.
<bash> sudo cp nat_forward_all.sh /etc/init.d/nat.sh sudo ln -s /etc/init.d/nat.sh /etc/rc2.d/S95masquradescript </bash>
Set up the SOCKS 5 proxy
- Replace /etc/danted.conf with the following.
#logoutput: stderr logoutput: syslog #the above line will send any logs to /var/log/syslog instead to a terminal internal: eth1 port = 1080 external: eth0 method: username none #the above puts no username or password. Access will instead be controlled via client ip address/range. #if there is no username or password - then danted socks server needs to run as nobody, i.e. #user.privileged: proxy user.notprivileged: nobody ### "client-rules" ### #client pass { # from: 136.201.251.21/0 port 1-65535 to: 0.0.0.0/0 # # 136.201.251.21/0 = specific ip address. # } client pass { from: 192.168.1.0/16 port 1-65535 to: 0.0.0.0/0 } client block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } ### "socks-rules" ### block { from: 0.0.0.0/0 to: 127.0.0.0/8 log: connect error } pass { from: 192.168.1.0/16 to: 0.0.0.0/0 protocol: tcp udp } pass { from: 127.0.0.0/8 to: 0.0.0.0/0 protocol: tcp udp } block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error }
- Start the proxy server
<bash> sudo /etc/init.d/danted restart </bash>
- If you get a "Failed to open libc.so..." error message when starting the proxy server, this is caused by a mistake in the dante-server debian package. To work around this, create a simlink to the correct libc.so and try again to start danted.
<bash> sudo ln -sf /lib/i386-linux-gnu/libc-2.13.so /lib/i386-linux-gnu/libc.so </bash>
- Test connecting through the proxy by configuring the web browser on one of the test machines connected through the gateway to use the proxy.
- Restrict outgoing traffic through the gateway by enabling the more restrictive iptables configuration.
<bash> sudo ~/scripts/nat_block_all.sh </bash>
- In the proxy options section of the browser, supply 192.168.1.1 as the SOCKS server and 1080 as the port.
- Attempt to browse to an internet website. If you can browse as usual, the proxy is working correctly.
- Disable the proxy in the browser.