Transparent Proxy Exercise

Pēdējais mainījis Administrator 2011-06-06 17:16

Exercise: Tunnelling and TCPMon

  1. Set up tunneling. Depending on the operating system of "myhomepc" use either Putty or ssh to set up tunnel from "myhomepc" to the VMWare instance "myserver". In the case of PuTTY, you can open "Session" in the left navigation bar; type in the IP address of your VMWare, and leave the default port number (22). Then open Connection->SSH->Tunnels and pick source port "8808" and destination www.google.com:80
    #picture("putty.png", "300")
    Figure: How to configure tunneling for PuTTY
  2. In case your desktop computer is Linux, set up the tunneling as described in SSH Tunneling Guide?.
  3. On VMWare "myserver" run the tcpdump program:
    tcpdump -n -i eth1 port 80
    Open browser session, type in the address http://localhost:8808 . The tcpdump should print IP packets arriving to the interface eth1, port 80 corresponding to this request. Browser should display Google search page.

TcpMon for Web traffic observation

  1. Exit the tunnel you set up in the previous exercise.
  2. Download the tcpmon.jar from https://tcpmon.dev.java.net/servlets/ProjectDocumentList?folderID=0.
  3. Run the JAR - either double-click it or run the command-line
    java -jar tcpmon.jar
  4. Pick local port equal to 8808, server name - either www.google.com or your VMWare machine's IP address and the server port 80. Press button [Add Monitor].
  5. Again connect to http://localhost:8808. Notice that you can see all the HTTP traffic in the monitor screen.
  6. Press the refresh button. See that there is a new "Cache-Control:max-age=0" header, and that Google responds with "304: Not Modified".
  7. Change your browser's language settings - Tools -> Options -> Advanced, and press *[Choose] button in the section "Languages". How are the HTTP headers affected?

Transparent Proxy (do not do this)

#picture("TransparentProxy.png", "200")
Figure: Typical data flow for a transparent proxy

Proxy BehaviorExpl.Transp.
Ensures anonymity, hides LAN layout to the outside worldYesYes
Caches the content ("Web objects" corresponding to URLs)YesYes
Replaces stale content, issue cache validation requestsYesYes
Reloads content, upon pressing browser's Refresh buttonYesYes(1)
Filters inappropriate contentYesYes
Does not require configuring each Web clientNoYes
Uses Proxy AuthorizationYesNo
Uses Ident Protocol (RFC 1413) to check users' identityYesNo(2)
Can resolve DNS names on behalf of clientYes(3)No
Prevents IP address spoofing (RFC2267)YesNo
Works for HTTP protocol on various (non-80) portsYesYes(4)

(1) Some browsers may not set the Cache-Control:no-cache header upon refresh, if no proxy is explicitly configured and they wrongly assume that they communicate directly with the server.
(2) The implicit proxy may not be able to open Ident protocol connection (Ident returns user's identification), since browser is not contacting the proxy.
(3) Squid resolves DNS on behalf of their clients by default.
(4) Configuring non-80 ports would require adding more rules to iptables to enable interceptors.

Spoofing attacks explained:

#picture("spoofing.png", "300")
Figure: Difficulty distinguishing Transparent proxies from IP spoofing

# lan0
allow ip from 172.16.1.0/24 to any via lan0
deny ip from any to any via lan0
# lan1
allow ip from 10.0.0.0/16 to any via lan1
deny ip from any to any via lan1

  1. If Squid is used as an interceptor, it returns packets with spoofed IP addresses itself. I.e. it is breaking "lan0" filtering rule.
  2. To use transparent proxy router has to disable such "lan0 deny" filtering rule - i.e. lan0 may now become a source for DOS attacks.
Here is how to set up transparent proxying:

  1. Enable IP packet forwarding on VMWare "myserver" (Figure 3): edit /etc/sysctl.conf: uncomment line:
    net.ipv4.conf.default.forwarding = 1
  2. Add the following rule to the iptables:
    iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 \
            -j REDIRECT --to-port 3128
  3. Save iptables: iptables-save
  4. Configure Squid on VMWare "myserver":
    http_port 80 accel vhost
  5. Restart Squid: /etc/init.d/squid restart
  6. In the Virtual Machine open the squid's logfile:
    tail -f /var/log/squid/access.log
    Repeat the same request as before. You should see the intercepted HTTP requests being logged
    Brīdinājums: TODO: This currently does not happen, possibly the error is in iptables configuration.
Tagi:
Izveidojis Kalvis Apsītis 2008-03-28 19:20
    
This wiki is licensed under a Creative Commons 2.0 license
XWiki Enterprise 6.4 - Documentation