Google fuzzylab00net.blog.dada.net

Tag

TESTING

Archivio

Ultimi commenti

Nuovi post

Categorie

I miei links preferiti

Enough! Clean up Parliament

Naviga per foto

Diffondi i contenuti

Aggiungi al mio Dada

Aggiungi al mio Dada

Condividi i contenuti

De.licio.us
Google PageRank Checker Tool
« Hack to get password | Home | Via MMS »

Squid 2.6 + tproxy + bridge + gentoo

di _Demo_ (17/06/2007 - 15:44)

My goal was to setup a transparent bridge with content filternig features.
( seems that we are under Censorship !! )


I was looking for a good way to implement a transparent proxy and looking for something new.
I started from this links:

http://www.balabit.com/support/community/products/tproxy/
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-5887c3744368f290e63fda47fd1e4715c9bdbc9b


I've already set up a linux box for doing squid+squidguard content filtering but you know, doing the same stuff is not very interesting.

Tproxy patch seems to me a good way to create  bridge that can act as a transparent content filter.

tproxy enable a special feature that allow spoofing request from squidbox  to destination , in this way the remote host will see the real ip of the client instead of the ip of the squidbox.
Yes it sounds like a MitM aka Man in the Middle, this can be funny, so don't try this @ home
expecialli if is not your @ home :D

Here is  how i did to make it work.

First of all, read this:
http://www.mail-archive.com/squid-users@squid-cache.org/msg40227.html

That is the most essential guide, there all the info you need. but there is something more to do.

1) Download the kernel

cd /usr/src
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.20.14.tar.gz
tar xzvf linux-2.6.20.14.tar.gz
rm linux
ln -s linux-2.6.20.14 linux


2) get the kernel patch and apply it

cd /usr/local/src
wget http://www.balabit.com/downloads/files/tproxy/linux-2.6/cttproxy-2.6.20-2.0.6.tar.gz
tar xzvf cttproxy-2.6.20-2.0.6.tar.gz
cd /usr/src/linux

for i in /usr/local/src/cttproxy-2.6.20-2.0.6/patch_tree/0{1,2,3}*.patch; do cat $i | patch -p1; done

If there's no error you'll see messages like this:
Hunk #1 succeeded at 1506 (offset 1 line).
Hunk #2 succeeded at 1536 (offset 1 line).
Hunk #3 succeeded at 1743 (offset 1 line).
...

3) Follow gentoo guide to set up a kernel with iptables support.
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

Let's use current config to start:
zcat /proc/config.gz > .config
make menuconfig

If you want iptables as a module:
Loadable module support --->
 [*] Enable loadable module support
 [ ] ...
 [*]   Automatic kernel module loading


NOTE As of kernel 2.6.20 (as of 2.6.19) you Must enable the following

Networking  ---->
 Networking options  ---->
  [*]   IP: advanced router
   <*> 802.1d Ethernet Bridging

  Network packet filtering framework (Netfilter)--->
   [*]   Bridged IP/ARP packets filtering (NEW)
   Core Netfilter Configuration ---->
    [*] Netfilter connection tracking support--->
               ["enable"] Layer 3 Dependent Connection tracking (OBSOLETE)
    [*] Netfilter Xtables support (required for ip_tables)
    [*] "state" match support
   IP: Netfilter Configuration --->
    <*>   IP tables support (required for filtering/masq/NAT)
    <*>   Full NAT

When you enable full nat then will appear this section
      IP: Netfilter Configuration --->
       <*> Transparent proxying
       <M>   tproxy match support
       <M>   TPROXY target support

Now is time for bridge netfilter:
  Network packet filtering framework (Netfilter)--->
   Bridge: Netfilter Configuration  --->
    <M> Ethernet Bridge tables (ebtables) support
    <M>   ebt: broute table support

Enable all as module , or choose by yourself what is good fro you.
Then buid the kernel as usual and boot with new kernel.

If you choose to load iptables as module load it at boot:
 echo "ip_tables" >> /etc/modules.autoload.d/kernel-2.6
 echo "iptable_filter" >> /etc/modules.autoload.d/kernel-2.6
 echo "ipt_TPROXY" >> /etc/modules.autoload.d/kernel-2.6
 echo "ipt_tproxy" >> /etc/modules.autoload.d/kernel-2.6


Be sure that tproxy is loaded:
 dmesg | grep TPROXY
 IP_TPROXY: Transparent proxy support initialized 2.0.6
 IP_TPROXY: Copyright (c) 2002-2006 BalaBit IT Ltd.

4) patch iptables  .. the long way

 mkdir -p /usr/overlay/net-firewall/iptables
 cp /usr/portage/net-firewall/iptables/iptables-1.3.7.ebuild /usr/overlay/net-firewall/iptables

 cp -R  /usr/portage/net-firewall/iptables/files/ /usr/overlay/net-firewall/iptables
 cp  /usr/local/src/cttproxy-2.6.20-2.0.6/iptables/iptables-1.3-cttproxy.diff /usr/overlay/net-firewall/iptables/files
 cd /usr/overlay/net-firewall/iptables
 cp iptables-1.3.7.ebuild iptables-1.3.7-r1.ebuild
there are few changes that we have to do.

 vi iptables-1.3.7-r1.ebuild
-------------------------------------------
 TPROXY_PATCH_1="iptables-1.3-cttproxy.diff"

 KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k mips ~ppc ~ppc64 ~s390 ~sh
sparc x86"
 IUSE="extensions imq ipv6 l7filter static tproxy"


src_unpack() {
    unpack ${P}.tar.bz2
    use l7filter && unpack ${L7_P}.tar.gz
    cd "${S}"
     if use tproxy ; then
         EPATCH_OPTS="-p1" epatch "${FILESDIR}"/${TPROXY_PATCH_1}
         chmod +x extensions/.tproxy-test
     fi
-------------------------------------------

Now make a digest.

 echo 'PORTDIR_OVERLAY="/usr/overlay"' >> /etc/make.conf
 ebuild iptables-1.3.7-r1.ebuild digest

Now is time to build iptables with tproxy patch

 USE="tproxy" emerge =iptables-1.3.7-r1
If everythig is correct you'll see
* Applying iptables-1.3-cttproxy.diff ...                                [ ok ]
4.1) patch iptables  .. the short way

 cp /usr/portage/distfiles/iptables-1.3.5.tar.bz2 /usr/local/src/
 cd /usr/local/src/
 tar jxvf iptables-1.3.5.tar.bz2
 cd  iptables-1.3.5
 cat /usr/local/src/cttproxy-2.6.20-2.0.6/iptables/iptables-1.3-cttproxy.diff | patch -p 1
 chmod +x extensions/.tproxy-test
 make KERNELDIR=/usr/src/linux
 make install
 cp /usr/local/lib/iptables/*  /lib/iptables/
 cp /usr/local/sbin/iptables /usr/sbin/

5) compile squid with tproxy support.

NOTE: you do not need any patch since this feautre is already present in squid 2.6

 mkdir -p /usr/overlay/net-proxy/squid
 cp /usr/portage/net-proxy/squid/squid-2.6.12.ebuild /usr/overlay/net-proxy/squid
 cp /usr/portage/net-proxy/squid/files/* /usr/overlay/net-proxy/squid/files/
 cd /usr/overlay/net-proxy/squid
we have only to enable linux-tproxy support
 vi squid-2.6.12.ebuild
------------------------------------------------------------------------
IUSE="pam ldap samba sasl nis ssl snmp selinux logrotate zero-penalty-hit
    pf-transparent ipf-transparent
    elibc_uclibc kernel_linux tproxy"

    local myconf=""
    if use tproxy; then
        myconf="${myconf} --enable-linux-tproxy"
    fi
------------------------------------------------------------------------
 ebuild squid-2.6.12.ebuild digest
 USE="tproxy" emerge  squid

It will fail with this message:

WARNING: Cannot find TPROXY headers, you need to install the
tproxy package from:
 - lynx http://www.balabit.com/downloads/tproxy/

NOTE:
The link is broken :  http://www.balabit.com/downloads/files/tproxy

To fix it you have to:

 cp /usr/src/linux/include/linux/netfilter_ipv4/ip_tproxy.h /usr/include/linux/netfilter_ipv4
Because in squid is defined:
#include <sys/capability.h>

You have to copy capability.h in /usr/include/sys or you'll get this error:
------------------------------------------------------------------
tools.c:49:28: sys/capability.h: No such file or directory
tools.c: In function `leave_suid':
tools.c:638: error: `cap_user_header_t' undeclared (first use in this
function)
tools.c:638: error: (Each undeclared identifier is reported only once
tools.c:638: error: for each function it appears in.)
tools.c:638: error: syntax error before "head"
tools.c:639: error: `cap_user_data_t' undeclared (first use in this function)
tools.c:641: error: `head' undeclared (first use in this function)
tools.c:641: error: `_LINUX_CAPABILITY_VERSION' undeclared (first use in this
function)
tools.c:643: error: `cap' undeclared (first use in this function)
tools.c:643: error: `CAP_NET_ADMIN' undeclared (first use in this function)
tools.c:643: error: `CAP_NET_BIND_SERVICE' undeclared (first use in this
function)
tools.c:643: error: `CAP_NET_BROADCAST' undeclared (first use in this
function)
distcc[30242] ERROR: compile tools.c on localhost failed
------------------------------------------------------------------

And to fix simply:
 cp /usr/include/linux/capability.h /usr/include/sys
Ok now we have all we need , let's install squid:
 USE="tproxy" emerge  squid


6) Configure squid.conf to enable tproxy
There are two directive that enable tproxy in squid.conf

 http_port 3128 tproxy transparent
 tcp_outgoing_address 192.168.1.100
Note:
if tcp_outgoing_address (squidbox ip) is not set you will see error like this
in /var/log/squid/cache.log :
-----------------------------------------------------------------------
2007/06/16 18:03:48| tproxy ip=192.168.1.2,0x20010ac,port=0 ERROR ASSIGN
2007/06/16 18:03:48| tproxy ip=192.168.1.2,0x20010ac,port=0 ERROR ASSIGN
-----------------------------------------------------------------------

remember to enable debug with  debug_options ALL,1 in squid.conf to see what's wrong


7) Configure the bridge

To configure the bridge simply edit /etc/conf.d/net

-------------------------------------
# /etc/conf.d/net
bridge_br0="eth0 eth1"
config_eth0=( "null" )
config_eth1=( "null" )
#config_br0=( "dhcp" ) # may not work when adding ports dynamically
config_br0=( "192.168.1.100/24"
-------------------------------------

and then
 cd /etc/init.d/
 ln -s net.lo net.br0
 rc-update add net.br0 default


if for any reason you need to bring the brige up manually here is the script
to configure the brige:
--------------------
# bridge.sh
ifconfig eth0 down
ifconfig eth1 down

ifconfig eth0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up

brctl addbr br0

brctl addif br0 eth0
brctl addif br0 eth1

ifconfig br0 192.168.1.100 up
route add default gw 192.168.1.1

brctl stp off
btctl setfd br0 off
--------------------


8) kernel options

Remember to enable ip fowarding in your kernel using
/etc/sysctl.conf

net.ipv4.ip_forward = 1

or doing
 echo 1 > /proc/sys/net/ipv4/ip_forward

I have net.ipv4.ip_nonlocal_bind = 0 and it works also if it is set to 1.



9) TProxy Interception

To redirect traffic from the brige to squid we need ebtables, which is like iptables
we want manipulate the traffic that is crossing the brige.
Ref:
http://ebtables.sourceforge.net/

Install ebtables program :

 emerge  ebtables

and use this rule to intercept the traffic for destination port 80

 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT


Now let's redirect to squid using iptables and tproxy

 iptables -t tproxy -A PREROUTING -i br0 -p tcp --dport 80 -j TPROXY --on-port 3128


10) Testing

Workstation: 192.168.1.2
Squidbox   : 192.168.1.100
Webserver  : 192.168.1.100

Assuming the scenario that eth0 is attached to Workstation with a cross cable
and eth1 to lan switch, you will see in apache logs of Webserver the ip addres
of Workstation instead the Squidbox one.
Also in access.log you will see all the traffic for http that it cames from
Workstation.

Thaz All 4 now.



Categoria: klog
Tag: gentoo transparentproxy
Commenti (5)
Invia ad un amico

Vota questo post


Commenta:




(Inserisci qui l'indirizzo del tuo blog o del tuo sito personale)

Scrivi le cifre che leggi nel box

(In questo modo si prevengono gli invii automatici)