LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-02-2010, 06:28 PM   #1
MistyF
LQ Newbie
 
Registered: Nov 2010
Posts: 5

Rep: Reputation: 0
Post Configuring an External Transparent Proxy possible? (with pics)


Heya!,
In my dorm on university campus, we can pick up the Universities wireless signal but it is weak and so does not propagate to all the rooms. As such, we have been using an old wag54g running in client mode to pick up the wireless and run our own subnet in the dorm.
The university uses a proxy and we have configured firefox on our client machines to use this quite successfully. The outline of the current network set-up is shown the diagram attached below.

We were hoping to remove some of the hassle of having to enter in the firefox proxy details everytime we bring our laptop back to the dorm network by having the wag54g keep the proxy settings instead.

However, Im having a bit of difficulty setting up my Wag54g to do this. After a bit of research, I saw two methods for implementing this. One was using the "Http Redirect" setting. http://www.dd-wrt.com/wiki/index.php/HTTPRedirect. I clicked enable, entered in the proxy IP address and port num, and entered in 192.168.2.0 for the IP source. This did not work. So we tried setting up a transparent proxy using iptables and this guide here: http://www.dd-wrt.com/wiki/index.php...nsparent_Proxy … rent_Proxy under the "Proxy Server on the LAN Subnet" guide.

Code:

#!/bin/sh
PROXY_IP=172.16.**.**
PROXY_PORT=8080
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT


However, this did not work either, probably because the proxy is on the university side of the wag54g. Also, we have our router in client mode (i.e, the wirless connection is the WAN), would this affect this?
There is a guide there for using an "Proxy Server on Different Network and Using Chillispot", however, we dont use Chillispot, so this would be no good to us.

Could anyone point us in the right direction as to how we might go about this?

Thanks!

iwconfig:
Code:
br0       Link encap:Ethernet  HWaddr 00:99:4C:99:00:01  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4810780 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7635880 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:342226097 (326.3 MiB)  TX bytes:1952020360 (1.8 GiB)

br0:0     Link encap:Ethernet  HWaddr 00:99:4C:99:00:01  
          inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr 00:99:4C:99:00:01  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4810845 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7635873 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:448064534 (427.3 MiB)  TX bytes:2013483413 (1.8 GiB)
          Interrupt:4 

eth1      Link encap:Ethernet  HWaddr 00:99:4C:99:00:DE  
          inet addr:10.9.***.87  Bcast:10.9.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7513683 errors:0 dropped:0 overruns:0 frame:12378202
          TX packets:4699844 errors:631 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1925433979 (1.7 GiB)  TX bytes:430976081 (411.0 MiB)
          Interrupt:2 Base address:0x5000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:171 errors:0 dropped:0 overruns:0 frame:0
          TX packets:171 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:11556 (11.2 KiB)  TX bytes:11556 (11.2 KiB)

vlan0     Link encap:Ethernet  HWaddr 00:909:4C:99:00:01  
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4810792 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7635877 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:361471393 (344.7 MiB)  TX bytes:1982563106 (1.8 GiB)

vlan1     Link encap:Ethernet  HWaddr 00:99:4C:99:00:01  
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
iptables -t nat -L
Code:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             10.9.129.87         tcp dpt:telnet to:192.168.2.1:23 
DNAT       icmp --  anywhere             10.9.129.87         to:192.168.2.1 
TRIGGER    0    --  anywhere             10.9.129.87         TRIGGER type:dnat match:0 relate:0 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       0    --  anywhere             anywhere            to:10.9.129.87 
RETURN     0    --  anywhere             anywhere            PKTTYPE = broadcast 
MASQUERADE  0    --  192.168.2.0/24       192.168.2.0/24      

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
http://www.dd-wrt.com/phpBB2/files/u...ection_143.png

Last edited by MistyF; 11-02-2010 at 06:48 PM.
 
Old 11-02-2010, 06:51 PM   #2
Davethesnake
LQ Newbie
 
Registered: Oct 2010
Posts: 25

Rep: Reputation: -14
tell you what you could have done also it take the machines apart and wire in a reverse polarity sma socket then arm yourself with an external antennae for some of the machines,all you gotta do is solder the internal wi-fi card coax ,its really thin and tricky but you can do it if your carefull to the sma co-ax (rg174/or military spec) and hey presto not only will/or should your sniffing capability change (to the most esssential connection)youll connect to the best/ very strong signal.
 
0 members found this post helpful.
Old 11-02-2010, 09:33 PM   #3
MistyF
LQ Newbie
 
Registered: Nov 2010
Posts: 5

Original Poster
Rep: Reputation: 0
(double post)

Last edited by MistyF; 11-03-2010 at 09:53 AM.
 
Old 11-02-2010, 09:34 PM   #4
MistyF
LQ Newbie
 
Registered: Nov 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks for the reply davethesnake! Unfortunately adding an external antenna onto all out laptops isnt very convenient.
At the moment, all computers on our local lan works fine, except that each has to be configured to use a proxy in firefox. As we move our laptops between networks (at home, college, work, etc), adding and removing the proxy settings becomes a pain. Also, our tv has no place to enter proxy settings so we cannot use it on the college network.

This is why i thought it would be more convenient if I could set up the router to forward all traffic through the external proxy using iptables.

I have tried the following since:

I have been reading up on iptables and have tried this in my firewall startup script (webgui->Administration->commands):

Code:
#!/bin/sh
PROXY_IP=172.*.*.**
PROXY_PORT=8080
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o vlan0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o vlan0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT
Unfortunately it didnt work.
Would anybody have any idea on how i might progress further?

Last edited by MistyF; 11-02-2010 at 09:35 PM.
 
Old 11-03-2010, 07:12 PM   #5
Davethesnake
LQ Newbie
 
Registered: Oct 2010
Posts: 25

Rep: Reputation: -14
Davey Snake

I see your problems beyond me but bearing mind todays modern netbooks auto configure settings (from their soft).That'd be handy using a distro with this capability.
 
Old 11-03-2010, 07:19 PM   #6
Davethesnake
LQ Newbie
 
Registered: Oct 2010
Posts: 25

Rep: Reputation: -14
old snakey boy

You know "lo" is the test interface.?
 
0 members found this post helpful.
Old 11-03-2010, 08:19 PM   #7
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
I am guessing that the operating system on the laptops is Windows. I wonder if you can use the Internet Connection Manager in Windows to configure this proxy setting. Can't Windows recognize your college LAN from other LANs? It seems that whenever I move a Windows computer from one building to another it wants to configure a new Internet connection.

Open Internet Explorer
Tools | Internet Options
Click on Connections tab
<do something clever>

Sorry I can't provide more details. I don't have access to a wifi enabled computer right now.

I'm really impressed with the work that you've already done with dd-wrt. I researched using OpenWRT for this but although they have some transparent proxy forwarding I could not see how to keep your wifi to wifi repeater function. And as you probably already read with dd-wrt, when you use that software in client mode it is going to behave like a plug-in wifi NIC, so it won't do anything else in that mode.

Quote:
Originally Posted by Davethesnake View Post
You know "lo" is the test interface.?
"lo" is the loopback interface. It can be used for a variety of purposes. For example if you configure CUPS to respond only to the "lo" adapter then you can restrict CUPS management to people who are logged on to the machine running CUPS. The same is true for web server or SQL server or any other network service.

Last edited by stress_junkie; 11-03-2010 at 08:43 PM.
 
Old 11-11-2010, 12:07 PM   #8
MistyF
LQ Newbie
 
Registered: Nov 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by stress_junkie View Post
I am guessing that the operating system on the laptops is Windows. I wonder if you can use the Internet Connection Manager in Windows to configure this proxy setting. Can't Windows recognize your college LAN from other LANs? It seems that whenever I move a Windows computer from one building to another it wants to configure a new Internet connection.

Open Internet Explorer
Tools | Internet Options
Click on Connections tab
<do something clever>

Sorry I can't provide more details. I don't have access to a wifi enabled computer right now.

I'm really impressed with the work that you've already done with dd-wrt. I researched using OpenWRT for this but although they have some transparent proxy forwarding I could not see how to keep your wifi to wifi repeater function. And as you probably already read with dd-wrt, when you use that software in client mode it is going to behave like a plug-in wifi NIC, so it won't do anything else in that mode.


"lo" is the loopback interface. It can be used for a variety of purposes. For example if you configure CUPS to respond only to the "lo" adapter then you can restrict CUPS management to people who are logged on to the machine running CUPS. The same is true for web server or SQL server or any other network service.
Thanks for the reply StressMonkey!

Just to confirm, if I am using a ddwrt router in "wireless client mode", it wont do anything else in that mode, i.e the firewall and hence iptables wont work at all?

I thought that when the wireless router was put in client mode, that the wifi was set as the WAN port and the normal Ethernet ports were set as the LAN. Pretty much the same as a normal DDWrt setup, except that the WAN and the wifi were switched?


The image attached in the first post was simplified: In reality, I have another ddwrt router where "Desktop PC" be. I didnt think that it was relevant at the time, but instead, could I configure iptables on this router to forward all packets to the external proxy?
 
Old 11-11-2010, 02:19 PM   #9
slacky
Member
 
Registered: Feb 2004
Location: USA
Distribution: Debian
Posts: 174

Rep: Reputation: 16
I believe the cache_peer directive of squid.conf tells it to use another proxy server. See the first example on this page, but try the ip address and port of your college's proxy.

http://wiki.squid-cache.org/Features...qlisted.yes%29
 
Old 11-12-2010, 06:33 AM   #10
MistyF
LQ Newbie
 
Registered: Nov 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by slacky View Post
I believe the cache_peer directive of squid.conf tells it to use another proxy server. See the first example on this page, but try the ip address and port of your college's proxy.

http://wiki.squid-cache.org/Features...qlisted.yes%29
Do you mean that the only solution is to have to have a separate linux machine running a squid proxy to forward all requests to the college proxy?
I was hoping that I would be able to do all this using just the router and iptables
 
Old 11-15-2010, 08:10 AM   #11
slacky
Member
 
Registered: Feb 2004
Location: USA
Distribution: Debian
Posts: 174

Rep: Reputation: 16
Quote:
Originally Posted by MistyF View Post
Do you mean that the only solution is to have to have a separate linux machine running a squid proxy to forward all requests to the college proxy?
I was hoping that I would be able to do all this using just the router and iptables
I guess I was assuming your router could run squid. I believe the iptables method will only work if your college proxy is configured to accept transparent traffic.

Another option is WPAD - http://en.wikipedia.org/wiki/Web_Pro...overy_Protocol - if the DHCP/DNS server on your router can support it.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Forwarding all traffic to the proxy to another proxy (transparent proxy/redirection) lakshithaww Linux - Networking 1 10-28-2009 01:54 AM
transparent proxy? ikinnu Linux - Software 1 07-27-2007 07:55 AM
transparent proxy in FC 6 lqchangba Linux - Server 1 06-02-2007 05:22 PM
transparent proxy in FC 6 lqchangba Linux - Server 1 05-28-2007 09:38 PM
Configuring a transparent proxy on a client machine ONLY instead of a server machine. clinux_rulz Linux - Networking 1 05-31-2006 03:53 AM


All times are GMT -5. The time now is 12:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration