User:Log Linden/Socks5Viewer/TestPlan/ProxyGateway
Introduction
These instructions will help you set up a simple Ubuntu gateway machine that will allow you to control access to the outside network for computers that are operating behind the gateway. This setup was created for testing the SOCKS 5 proxy. With some modification, the same setup could be used for testing various other network conditions, including throttling the connection speed down to something closer to residential DSL speeds. The instructions are intended for someone with a reasonable familiarity with Ubuntu Linux and will only discuss the customisations needed to set up the gateway.
Requirements
Hardware
- A standard off-the-shelf PC with two Ethernet NICs
- 1 Ethernet switch for the "internal" network
- Network cables
- Other computers to actually test the viewer on.
Software
- Ubuntu Linux 11.04 (Natty) install media (Other flavors of Ubuntu, including Ubuntu server should work with these instructions as well.)
Instructions
Connect network hardware
- Connect one network card to the outside network.
- Connect the other network card to the internal ethernet switch.
- Connect testing computers to the internal network switch.
Install Ubuntu and Packages
- Install Ubuntu on the gateway machine. Consult the official Ubuntu install instructions for more information.
- Reboot into the installed system.
- Update the packages on the system.
<bash> sudo apt-get update sudo apt-get upgrade </bash>
- Install some additional useful packages that we will need.
<bash> sudo apt-get install dnsmasq dante-server openssh </bash>
Configure Network Interfaces
- IMPORTANT NOTE: For the purpose of this document, eth0 is the device that is connecting to the outside network, and eth1 is connecting to the internal network. Verify which is which on your setup.
<bash>ifconfig</bash> Chances are, only one of the ethX devices will have been assigned an IP address by your network, this is the one connected to the external network. If this is not eth0 you need to either switch the network cables connected to the computer or remember to swap the interface names everywhere in the rest of this document. We are going to be assigning eth1 with a static IP address, which can cause problems if it conflicts with the rest of your network.
- Edit, with sudo, '/etc/network/interfaces' and replace its contents with the following
<bash> auto lo eth0 eth1
iface lo inet loopback
- External network
iface eth0 inet dhcp
- Internal network
iface eth1 inet static
address 192.168.1.1 network 192.168.1.0 netmask 255.255.255.0 broadcast 192.168.1.255
</bash>
- This configuration makes eth0 continue to get its configuration through DHCP, and statically configures eth1. Listing both interfaces on the auto line will mean that they will automatically connect on startup.
- Because we are setting up the interfaces in this config file, we should probably prevent networkmanager from trying to do it as well.
<bash> sudo update-rc.d NetworkManager remove</bash>
- Restart the network
<bash> sudo /etc/init.d/networking stop sudo /etc/init.d/networking start </bash>
- Verify the network configuration by looking for the correct IP addresses for eth0 and eth1.
<bash> ifconfig</bash>
Set up DNS and DHCP
- dnsmasq is a lightweight combination DNS/DHCP server. For the anticipated number of clients for this network, it should be sufficient.
- Warning: Again, it is important to get the network interfaces correct for this. Running a rogue DHCP server on the wrong interface could cause major network problems. eth1 should be the internal network card.
- Replace /etc/dnsmasq.conf with the following:
<bash> interface=eth1
dhcp-range=192.168.1.50,192.168.1.150,12h dhcp-authoritative dhcp-script=/bin/echo </bash>
- Restart dnsmasq
<bash> sudo /etc/init.d/dnsmasq restart </bash>
Set up the Firewall
- Save the following two scripts to ~/scripts
nat_forward_all.sh
<bash> echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF"
- ======================================================================
- == No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "nf_conntrack, " $MODPROBE nf_conntrack echo -en "nf_conntrack_ftp, " $MODPROBE nf_conntrack_ftp echo -en "nf_conntrack_irc, " $MODPROBE nf_conntrack_irc echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "nf_nat_ftp, " $MODPROBE nf_nat_ftp echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.."https://wiki.secondlife.com/w/index.php?title=User:Log_Linden/Socks5Viewer/TestPlan/ProxyGateway
iptables-restore <<-EOF
- nat
-A POSTROUTING -o "$EXTIF" -j MASQUERADE COMMIT
- filter
- INPUT ACCEPT [0:0]
- FORWARD DROP [0:0]
- OUTPUT ACCEPT [0:0]
-A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT -A FORWARD -j LOG COMMIT EOF
echo -e "\nrc.firewall-iptables v$FWVER done.\n" </bash>
nat_block_all.sh
<bash> echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF"
- ======================================================================
- == No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "nf_conntrack, " $MODPROBE nf_conntrack echo -en "nf_conntrack_ftp, " $MODPROBE nf_conntrack_ftp echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "nf_nat_ftp, " $MODPROBE nf_nat_ftp echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.."
iptables-restore <<-EOF
- nat
-A POSTROUTING -o "$EXTIF" -j MASQUERADE COMMIT
- filter
- INPUT ACCEPT [0:0]
- FORWARD DROP [0:0]
- OUTPUT ACCEPT [0:0]
-A FORWARD -i "$INTIF" -j LOG -A FORWARD -i "$INTIF" -j REJECT COMMIT EOF
echo -e "\nrc.firewall-iptables v$FWVER done.\n" </bash>
- Make both scripts executable
<bash> chmod a+x ~/scripts/nat_block_all.sh chmod a+x ~/scripts/nat_forward_all.sh </bash>
- Test the wide-open script. Inspect the output for errors indicating something is wrong.
<bash> sudo ~/scripts/nat_forward_all.sh </bash>
- If the previous command was successful and you got dns and dhcp configured before, you should be able to connect through your gateway on computers on the internal network.
- Test this now, by connecting a test computer to the network if you haven't already. Try browsing the web on one of the test machines as a quick test. Use ipconfig /all or ifconfig to see how the test computer is being configured. Expected values are below:
Parameter | Expected Value |
---|---|
IP Address | 192.168.1.50-192.168.1.150 |
Subnet Mask | 255.255.255.0 |
Default Gateway | 192.168.1.1 |
Nameserver (DNS Server) | 192.168.1.1 |
- If everything seems to be working correctly, make the wide-open config run during system startup.
<bash> sudo cp nat_forward_all.sh /etc/init.d/nat.sh sudo ln -s /etc/init.d/nat.sh /etc/rc2.d/S95masquradescript </bash>
Set up the SOCKS 5 proxy
- Replace /etc/danted.conf with the following.
logoutput: /var/log/dante.log internal: eth1 port = 1080 external: eth0 method: username none # Accept either username auth or no auth. If using username auth, use the same username and password that are used to sign on to this machine. #user.privileged: proxy user.notprivileged: nobody ### "client-rules" ### client pass { from: 192.168.1.0/24 port 1-65535 to: 0.0.0.0/0 } client block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } ### "socks-rules" ### # Block connections to loopback interfaces block { from: 0.0.0.0/0 to: 127.0.0.0/8 log: connect error } # Allow udp reply packets from outside pass { from: 0.0.0.0/0 to: 192.168.1.0/24 command: udpreply } # Allow the internal network to connect to everything outside pass { from: 192.168.1.0/24 to: 0.0.0.0/0 protocol: tcp udp } # Block anything else block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error }
- Start the proxy server
<bash> sudo /etc/init.d/danted restart </bash>
- If you get a "Failed to open libc.so..." error message when starting the proxy server, this is caused by a mistake in the dante-server debian package. To work around this, create a simlink to the correct libc.so and try to start danted again.
<bash> sudo ln -sf /lib/i386-linux-gnu/libc-2.13.so /lib/i386-linux-gnu/libc.so </bash>
- Test connecting through the proxy by configuring the web browser on one of the test machines connected through the gateway to use the proxy.
- Restrict outgoing traffic through the gateway by enabling the more restrictive iptables configuration.
<bash> sudo ~/scripts/nat_block_all.sh </bash>
- In the proxy options section of the browser, supply 192.168.1.1 as the SOCKS server and 1080 as the port.
- Attempt to browse to an internet website. If you can browse as usual, the proxy is working correctly.
- Disable the proxy in the browser.
Set up the HTTP (Web) proxy
Configure the HTTP proxy
- Edit /etc/squid/squid.conf. We will be editing the existing file instead of replacing it. We need to open up some ports, enable SSL communication via the CONNECT method, and disable caching.
- A patch that will give us the access we need:
<diff> --- squid.conf.original 2011-07-11 13:58:12.640564821 -0400 +++ squid.conf 2011-08-16 15:22:55.420862811 -0400 @@ -606,8 +606,6 @@
# Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed
-acl localnet src 10.0.0.0/8 # RFC1918 possible internal network -acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network # acl SSL_ports port 443 # https
@@ -628,6 +626,8 @@
acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT
+# Enable SSL via CONNECT +acl SSL method CONNECT
# TAG: http_access # Allowing or Denying access based on defined access lists
@@ -661,7 +661,8 @@
# Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports
-http_access deny CONNECT !SSL_ports +## Removed to allow connection to caps router on simhosts. +#http_access deny CONNECT !SSL_ports
# # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only
@@ -675,6 +676,8 @@
# from where browsing should be allowed #http_access allow localnet http_access allow localhost
+http_access allow localnet +
# And finally deny all other access to this proxy http_access deny all
@@ -1111,8 +1114,9 @@
# visible on the internal address. # # Squid normally listens to port 3128
-http_port 3128 +http_port 192.168.1.1:3128
+cache deny all
# TAG: https_port # Note: This option is only available if Squid is rebuilt with the # --enable-ssl option
@@ -3939,7 +3943,7 @@
# "0". May be overridden with -u on the command line. # #Default:
-# icp_port 3130 +icp_port 0
# TAG: htcp_port # The port number where Squid sends and receives HTCP queries to
</diff>
- To apply the patch, save it to a file named squid.diff in your home directory and run the following command:
<bash> sudo patch /etc/squid/squid.conf ~/squid.diff </bash>
- If you would rather edit by hand, a sequence of instructions to do the above are listed below.1
- Look for the following line:
http_port 3128
- Replace with the following:
http_port 192.168.1.1:3128 cache deny all
- Look for the following lines:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
- Replace with
acl localnet src 192.168.1.0/8 # RFC1918 possible internal network
- Look for the following line:
acl CONNECT method CONNECT
- Append two lines after to make it look like this:
acl CONNECT method CONNECT # Enable SSL via CONNECT acl SSL method CONNECT
- Comment out the following line:
http_access deny CONNECT !SSL_ports
- It should look like this:
#http_access deny CONNECT !SSL_ports
- Look for the following line:
http_access allow localhost
- Append another line after it so that it now looks like this:
http_access allow localhost http_access allow localnet
- Now that the configuration file is correct, we need to restart the squid proxy:
<bash> sudo stop squid sudo start squid </bash>
- Examine syslog for any errors related to squid.
<bash> sudo tail /var/log/syslog </bash>
Test the HTTP Proxy
- Restrict outgoing traffic through the gateway by enabling the more restrictive iptables configuration.
<bash> sudo ~/scripts/nat_block_all.sh </bash>
- In the proxy options section of the browser on the test machine, supply 192.168.1.1 as the HTTP and HTTPS proxy server with 3128 as the port in both cases.
- Remove any SOCKS proxy configuration in the browser.
- Attempt to browse to an internet website. Also try browsing to an https:// website such as https://codereview.secondlife.com. If you can browse as usual, the proxy is working correctly.
- Disable the proxy in the browser.
Cleanup
- Reboot the machine, using the graphical menus to reboot or the following command. Verify that everything still works as before.
<bash> sudo shutdown -r now </bash>
- Note that we left the unrestricted firewall configuration as the default. When the gateway is rebooted, you will need to rerun ~/scripts/nat_blocked_all.sh to restrict connections again. If you would like that to be the default state, copy ~/scripts/nat_blocked_all.sh to /etc/init.d/nat.sh.
Packet Capture Tools
- On a machine with the X11 graphical environment, you can use wireshark to capture packets going through the computer. Install wireshark with the following command.
<bash> sudo apt-get install wireshark </bash>
- Allow non-root users to perform captures. Note that this should not be done on a machine that you do not trust all the users to monitor traffic.
<bash> sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap </bash>
- Start wireshark. In the list of capture device, select "pseudo-device that captures on all interface". The program should be capturing packets.
- Use the filter box at the top to filter for specific protocols, like "http" or certain hosts with strings like "ip.addr == 192.168.1.120".
Useful References
If you run into difficulties with these instructions, there is more information in the official documentation. I based the configurations in this document mostly from the following sites: