Transparent Proxy Exercise
Last modified by Valdis Vītoliņš on 2018/01/15 21:44
Exercise: Tunnelling and TCPMon
- Set up tunneling. Depending on the operating system of "myhomepc" use either Putty or ssh to set up tunnel from "myhomepc" to the VMWare instance "myserver". In the case of PuTTY, you can open "Session" in the left navigation bar; type in the IP address of your VMWare, and leave the default port number (22). Then open Connection->SSH->Tunnels and pick source port "8808" and destination www.google.com:80
Unknown macro: picture. Click on this message for details.
Figure: How to configure tunneling for PuTTY
- In case your desktop computer is Linux, set up the tunneling as described in SSH Tunneling Guide.
- On VMWare "myserver" run the tcpdump program:
tcpdump -n -i eth1 port 80
Open browser session, type in the address http://localhost:8808 . The tcpdump should print IP packets arriving to the interface eth1, port 80 corresponding to this request. Browser should display Google search page.
TcpMon for Web traffic observation
- Exit the tunnel you set up in the previous exercise.
- Download the tcpmon.jar from https://tcpmon.dev.java.net/servlets/ProjectDocumentList?folderID=0.
- Run the JAR - either double-click it or run the command-line
java -jar tcpmon.jar
- Pick local port equal to 8808, server name - either www.google.com or your VMWare machine's IP address and the server port 80. Press button Add Monitor.
- Again connect to http://localhost:8808. Notice that you can see all the HTTP traffic in the monitor screen.
- Press the refresh button. See that there is a new "Cache-Control:max-age=0" header, and that Google responds with "304: Not Modified".
- Change your browser's language settings - Tools -> Options -> Advanced, and press *Choose button in the section "Languages". How are the HTTP headers affected?
Transparent Proxy (do not do this)
Unknown macro: picture. Click on this message for details.
Figure: Typical data flow for a transparent proxy
| Proxy Behavior | Expl. | Transp. |
|---|---|---|
| Ensures anonymity, hides LAN layout to the outside world | Yes | Yes |
| Caches the content ("Web objects" corresponding to URLs) | Yes | Yes |
| Replaces stale content, issue cache validation requests | Yes | Yes |
| Reloads content, upon pressing browser's Refresh button | Yes | Yes(1) |
| Filters inappropriate content | Yes | Yes |
| Does not require configuring each Web client | No | Yes |
| Uses Proxy Authorization | Yes | No |
| Uses Ident Protocol (RFC 1413) to check users' identity | Yes | No(2) |
| Can resolve DNS names on behalf of client | Yes(3) | No |
| Prevents IP address spoofing (RFC2267) | Yes | No |
| Works for HTTP protocol on various (non-80) ports | Yes | Yes(4) (1) Some browsers may not set the Cache-Control:no-cache header upon refresh, if no proxy is explicitly configured and they wrongly assume that they communicate directly with the server. (2) The implicit proxy may not be able to open Ident protocol connection (Ident returns user's identification), since browser is not contacting the proxy. (3) Squid resolves DNS on behalf of their clients by default. (4) Configuring non-80 ports would require adding more rules to iptables to enable interceptors. |
Spoofing attacks explained:
Unknown macro: picture. Click on this message for details.
Figure: Difficulty distinguishing Transparent proxies from IP spoofing
# lan0
allow ip from 172.16.1.0/24 to any via lan0
deny ip from any to any via lan0
# lan1
allow ip from 10.0.0.0/16 to any via lan1
deny ip from any to any via lan1
allow ip from 172.16.1.0/24 to any via lan0
deny ip from any to any via lan0
# lan1
allow ip from 10.0.0.0/16 to any via lan1
deny ip from any to any via lan1
- If Squid is used as an interceptor, it returns packets with spoofed IP addresses itself. I.e. it is breaking "lan0" filtering rule.
- To use transparent proxy router has to disable such "lan0 deny" filtering rule - i.e. lan0 may now become a source for DOS attacks.
Here is how to set up transparent proxying:
- Enable IP packet forwarding on VMWare "myserver" (Figure 3): edit /etc/sysctl.conf: uncomment line:
net.ipv4.conf.default.forwarding = 1
- Add the following rule to the iptables:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80
-j REDIRECT --to-port 3128
-j REDIRECT --to-port 3128
- Save iptables: iptables-save
- Configure Squid on VMWare "myserver":
http_port 80 accel vhost
- Restart Squid: /etc/init.d/squid restart
- In the Virtual Machine open the squid's logfile:
tail -f /var/log/squid/access.log
Repeat the same request as before. You should see the intercepted HTTP requests being logged