Configuring an External Transparent Proxy possible? (with pics)

MistyF · 11-02-2010, 05:28 PM

Heya!,
In my dorm on university campus, we can pick up the Universities wireless signal but it is weak and so does not propagate to all the rooms. As such, we have been using an old wag54g running in client mode to pick up the wireless and run our own subnet in the dorm.
The university uses a proxy and we have configured firefox on our client machines to use this quite successfully. The outline of the current network set-up is shown the diagram attached below.

We were hoping to remove some of the hassle of having to enter in the firefox proxy details everytime we bring our laptop back to the dorm network by having the wag54g keep the proxy settings instead.

However, Im having a bit of difficulty setting up my Wag54g to do this. After a bit of research, I saw two methods for implementing this. One was using the "Http Redirect" setting. http://www.dd-wrt.com/wiki/index.php/HTTPRedirect. I clicked enable, entered in the proxy IP address and port num, and entered in 192.168.2.0 for the IP source. This did not work. So we tried setting up a transparent proxy using iptables and this guide here: http://www.dd-wrt.com/wiki/index.php...nsparent_Proxy … rent_Proxy under the "Proxy Server on the LAN Subnet" guide.

Code:

#!/bin/sh
PROXY_IP=172.16.**.**
PROXY_PORT=8080
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT

However, this did not work either, probably because the proxy is on the university side of the wag54g. Also, we have our router in client mode (i.e, the wirless connection is the WAN), would this affect this?
There is a guide there for using an "Proxy Server on Different Network and Using Chillispot", however, we dont use Chillispot, so this would be no good to us.

Could anyone point us in the right direction as to how we might go about this?

Thanks!

iwconfig:

Code:

br0       Link encap:Ethernet  HWaddr 00:99:4C:99:00:01  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4810780 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7635880 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:342226097 (326.3 MiB)  TX bytes:1952020360 (1.8 GiB)

br0:0     Link encap:Ethernet  HWaddr 00:99:4C:99:00:01  
          inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr 00:99:4C:99:00:01  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4810845 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7635873 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:448064534 (427.3 MiB)  TX bytes:2013483413 (1.8 GiB)
          Interrupt:4 

eth1      Link encap:Ethernet  HWaddr 00:99:4C:99:00:DE  
          inet addr:10.9.***.87  Bcast:10.9.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7513683 errors:0 dropped:0 overruns:0 frame:12378202
          TX packets:4699844 errors:631 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1925433979 (1.7 GiB)  TX bytes:430976081 (411.0 MiB)
          Interrupt:2 Base address:0x5000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:171 errors:0 dropped:0 overruns:0 frame:0
          TX packets:171 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:11556 (11.2 KiB)  TX bytes:11556 (11.2 KiB)

vlan0     Link encap:Ethernet  HWaddr 00:909:4C:99:00:01  
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4810792 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7635877 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:361471393 (344.7 MiB)  TX bytes:1982563106 (1.8 GiB)

vlan1     Link encap:Ethernet  HWaddr 00:99:4C:99:00:01  
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

iptables -t nat -L

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             10.9.129.87         tcp dpt:telnet to:192.168.2.1:23 
DNAT       icmp --  anywhere             10.9.129.87         to:192.168.2.1 
TRIGGER    0    --  anywhere             10.9.129.87         TRIGGER type:dnat match:0 relate:0 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       0    --  anywhere             anywhere            to:10.9.129.87 
RETURN     0    --  anywhere             anywhere            PKTTYPE = broadcast 
MASQUERADE  0    --  192.168.2.0/24       192.168.2.0/24      

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

http://www.dd-wrt.com/phpBB2/files/u...ection_143.png

Davethesnake · 11-02-2010, 05:51 PM

tell you what you could have done also it take the machines apart and wire in a reverse polarity sma socket then arm yourself with an external antennae for some of the machines,all you gotta do is solder the internal wi-fi card coax ,its really thin and tricky but you can do it if your carefull to the sma co-ax (rg174/or military spec) and hey presto not only will/or should your sniffing capability change (to the most esssential connection)youll connect to the best/ very strong signal.

MistyF · 11-02-2010, 08:33 PM

(double post)

MistyF · 11-02-2010, 08:34 PM

Thanks for the reply davethesnake! Unfortunately adding an external antenna onto all out laptops isnt very convenient.

At the moment, all computers on our local lan works fine, except that each has to be configured to use a proxy in firefox. As we move our laptops between networks (at home, college, work, etc), adding and removing the proxy settings becomes a pain. Also, our tv has no place to enter proxy settings so we cannot use it on the college network.

This is why i thought it would be more convenient if I could set up the router to forward all traffic through the external proxy using iptables.

I have tried the following since:

I have been reading up on iptables and have tried this in my firewall startup script (webgui->Administration->commands):

Code:

#!/bin/sh
PROXY_IP=172.*.*.**
PROXY_PORT=8080
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o vlan0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o vlan0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT

Unfortunately it didnt work.

Would anybody have any idea on how i might progress further?

Davethesnake · 11-03-2010, 06:12 PM

I see your problems beyond me but bearing mind todays modern netbooks auto configure settings (from their soft).That'd be handy using a distro with this capability.

Davethesnake · 11-03-2010, 06:19 PM

You know "lo" is the test interface.?

stress_junkie · 11-03-2010, 07:19 PM

I am guessing that the operating system on the laptops is Windows. I wonder if you can use the Internet Connection Manager in Windows to configure this proxy setting. Can't Windows recognize your college LAN from other LANs? It seems that whenever I move a Windows computer from one building to another it wants to configure a new Internet connection.

Open Internet Explorer
Tools | Internet Options
Click on Connections tab
<do something clever>

Sorry I can't provide more details. I don't have access to a wifi enabled computer right now.

I'm really impressed with the work that you've already done with dd-wrt. I researched using OpenWRT for this but although they have some transparent proxy forwarding I could not see how to keep your wifi to wifi repeater function. And as you probably already read with dd-wrt, when you use that software in client mode it is going to behave like a plug-in wifi NIC, so it won't do anything else in that mode.

Quote:

Originally Posted by Davethesnake

You know "lo" is the test interface.?

"lo" is the loopback interface. It can be used for a variety of purposes. For example if you configure CUPS to respond only to the "lo" adapter then you can restrict CUPS management to people who are logged on to the machine running CUPS. The same is true for web server or SQL server or any other network service.

MistyF · 11-11-2010, 11:07 AM

Quote:

Originally Posted by stress_junkie

I am guessing that the operating system on the laptops is Windows. I wonder if you can use the Internet Connection Manager in Windows to configure this proxy setting. Can't Windows recognize your college LAN from other LANs? It seems that whenever I move a Windows computer from one building to another it wants to configure a new Internet connection.

Open Internet Explorer
Tools | Internet Options
Click on Connections tab
<do something clever>

Sorry I can't provide more details. I don't have access to a wifi enabled computer right now.

I'm really impressed with the work that you've already done with dd-wrt. I researched using OpenWRT for this but although they have some transparent proxy forwarding I could not see how to keep your wifi to wifi repeater function. And as you probably already read with dd-wrt, when you use that software in client mode it is going to behave like a plug-in wifi NIC, so it won't do anything else in that mode.

"lo" is the loopback interface. It can be used for a variety of purposes. For example if you configure CUPS to respond only to the "lo" adapter then you can restrict CUPS management to people who are logged on to the machine running CUPS. The same is true for web server or SQL server or any other network service.

Thanks for the reply StressMonkey!

Just to confirm, if I am using a ddwrt router in "wireless client mode", it wont do anything else in that mode, i.e the firewall and hence iptables wont work at all?

I thought that when the wireless router was put in client mode, that the wifi was set as the WAN port and the normal Ethernet ports were set as the LAN. Pretty much the same as a normal DDWrt setup, except that the WAN and the wifi were switched?

The image attached in the first post was simplified: In reality, I have another ddwrt router where "Desktop PC" be. I didnt think that it was relevant at the time, but instead, could I configure iptables on this router to forward all packets to the external proxy?

slacky · 11-11-2010, 01:19 PM

I believe the cache_peer directive of squid.conf tells it to use another proxy server. See the first example on this page, but try the ip address and port of your college's proxy.

http://wiki.squid-cache.org/Features...qlisted.yes%29

MistyF · 11-12-2010, 05:33 AM

Quote:

Originally Posted by slacky

I believe the cache_peer directive of squid.conf tells it to use another proxy server. See the first example on this page, but try the ip address and port of your college's proxy.

http://wiki.squid-cache.org/Features...qlisted.yes%29

Do you mean that the only solution is to have to have a separate linux machine running a squid proxy to forward all requests to the college proxy?
I was hoping that I would be able to do all this using just the router and iptables

slacky · 11-15-2010, 07:10 AM

Quote:

Originally Posted by MistyF

Do you mean that the only solution is to have to have a separate linux machine running a squid proxy to forward all requests to the college proxy?
I was hoping that I would be able to do all this using just the router and iptables

I guess I was assuming your router could run squid. I believe the iptables method will only work if your college proxy is configured to accept transparent traffic.

Another option is WPAD - http://en.wikipedia.org/wiki/Web_Pro...overy_Protocol - if the DHCP/DNS server on your router can support it.