Fully Transparent + Tproxy + Bridge + Interception + Windows Authentication
Fully Transparent + Tproxy + Bridge + Interception
A proxy is a server-like program, receiving requests from clients, forwarding those requests to the real server on behalf of the user, and returning the response as it arrives. Proxies read and parse the application protocol, and reject invalid traffic. So using proxies on a firewall to mediate requests means higher level of security, than packet filtering firewalls.
Simple, non-transparent proxying is somewhat difficult to manage and administer since each client program must be set up to use proxies.
Transparent proxy
To simplify management tasks of clients sitting behind proxy firewalls, the technique ‘transparent proxying’ was invented. Transparent proxying means that the presence of the proxy is invisible to the user. Transparent proxying however requires kernel support.
Packet filters packages lacking
Real transparent proxying requires the following three features from the IP stack of the computer it is running on:
- Redirect sessions destined to the outer network to a local process using a packet filter rule.
- Make it possible for a process to listen to connections on a foreign address.
- Make it possible for a process to initiate a connection with a foreign address as a source.
To increase the efficiency of our internet connection, we use a caching web proxy. A web proxy makes the HTTP request on behalf of the client, and caches the result for later. That way, if multiple users request the same document, the cache can serve its local copy, rather than wasting bandwidth. This has two benefits: users get their content faster (when it’s cached), and the internet connection isn’t bogged down with duplicate requests. Tproxy enable a special feature that allow spoofing request from squidbox to destination , in this way the remote host will see the real ip of the client instead of the ip of the squidbox. We use our Squid box as a bridging interception proxy. This means that the machine acts as a bridge, and is inserted “inline” between other network devices (in our case, just before our firewall). Additionally, Squid is configured as an interception proxy, which means that it will grab requests destined for port 80 (the standard HTTP port) and run them through the caching engine. Connections not bound for port 80 are passed straight through the bridge. This setup is advantageous because it makes the proxy completely invisible to the rest of the network (and the users). If we need to, we can simply take the machine out of the network and everything will continue to work just as before (except that it’s not being cached). No settings on the client machines need to change. However, this setup requires compiling our own Linux kernel, and also our own version of Squid. We’ll walk you through the steps below.
Note: these steps assume Debian Linux (“Etch” is the release we’re using). If you use a different system you may need to compile according to your distribution’s conventions.
TARGET:
First of all showing our target what we will achieve till end of this article.
Workstation: 10.101.88.85
Squidbox : 172.25.12.4
Webserver : 192.168.1.100
You will see in apache logs of Webserver the ip addres of Workstation instead the Squidbox one. Also in access.log you will see all the traffic for http that it cames from Workstation.
Preparing the System
First, set some environment variables so your custom builds will have sane values in the description files:
export DEBFULLNAME="M.Adnan shahzad" export DEBEMAIL="adnan.shahzad@your_org.edu.pk"
Now we need to download all the components necessary to build packages on our system. Make sure your package repository listing is up-to-date:
apt-get update
Move into the source directory on the machine:
cd /usr/src
Now we need to download a special patch for bridging proxy support in the kernel and iptables, and unpack it.
wget http://www.balabit.hu/downloads/files/tproxy/obsolete/linux-2.6/cttproxy-2.6.18-2.0.6.tar.gz
tar -zxf cttproxy-2.6.18-2.0.6.tar.gz
We are now ready to fetch and build the three other components we need: the kernel, iptables, and squid
Kernel Compilation
First, fetch the kernel package and all of the packages necessary to build a kernel (you can put the following command all on one line):
apt-get install linux-source-2.6.18 kernel-package libncurses5-dev
fakeroot bzip2 build-essential dpatch devscripts
This will put a tarball of the Linux source in /usr/src. Go there and unpack it:
cd /usr/src
tar -jxf linux-source-2.6.18.tar.bz2
Now move into the Linux source directory:
cd linux-source-2.6.18
You need to apply the patches included with the tproxy download you got earlier:
for patch in ../cttproxy-2.6.18-2.0.6/patch_tree/\*.patch
d> o patch -p1 < $patch
done
Now it’s time for a standard Debian kernel build. I suggest making based on the existing config:
make oldconfig
(You may also use make menuconfig for a graphical interface.)
That will ask you about the new features added by the patch. You want to enable the following:
If you want iptables as a module:
Loadable module support ---> [*] Enable loadable module support [ ] ... [*] Automatic kernel module loading
NOTE As of kernel 2.6.20 (as of 2.6.19) you Must enable the following
Networking ----> Networking options ----> [*] IP: advanced router 802.1d Ethernet Bridging Network packet filtering framework (Netfilter)---> [*] Bridged IP/ARP packets filtering (NEW) Core Netfilter Configuration ----> [*] Netfilter connection tracking support---> ["enable"\] Layer 3 Dependent Connection tracking (OBSOLETE) [*] Netfilter Xtables support (required for ip_tables) [*] "state" match support IP: Netfilter Configuration ---> IP tables support (required for filtering/masq/NAT) Full NAT
When you enable full nat then will appear this section
IP: Netfilter Configuration ---> Transparent proxying tproxy match support TPROXY target support
Now is time for bridge netfilter:
Network packet filtering framework (Netfilter)---> Bridge: Netfilter Configuration ---> Ethernet Bridge tables (ebtables) support ebt: broute table support
You’re now ready to build the kernel:
make-kpkg clean
make-kpkg --rootcmd fakeroot --initrd --append-to-version=-tproxy.1.0 kernel_image
Wait a while for the kernel to compile. When it’s done you’ll have a linux-image package in /usr/src. Go ahead and install it:
cd /usr/src
dpkg -i linux-image-2.6.18\*.deb
If the installation was successful, then we’re almost done (with the kernel, anyway).
We want to load the tproxy modules by default, so add the following lines to the end of your /etc/modules file:
ip_tables
iptable_filter
ipt_TPROXY
ipt_tproxy
Reboot your machine into the new kernel. You can confirm the version by running uname -a. You can confirm that tproxy was installed by running:
dmesg | grep TPROXY
IPTables Compilation:
The new version of the kernel has a patched version of iptables support, which requires that we recompile the iptables binaries to match.
First, move into your source directory:
cd /usr/src
Next, get the source for iptables:
apt-get source iptables
apt-get build-dep iptables
Move into the source directory:
cd iptables-1.3.6.0debian1
Patch the sources:
Note: change of directory to inner iptables dir
cd iptables
patch -p1 < ../../cttproxy-2.6.18-2.0.6/iptables/iptables-1.3-cttproxy.diff
chmod +x extensions/.tproxy-test
Additionally, we need to copy our patched kernel sources into the iptables tree so it can build against them. Change back to the root iptables source tree:
cd /usr/src/iptables-1.3.6.0debian1
Now move the default linux dir out of the way:
mv linux linux-orig
mkdir linux
And copy your linux files in:
for x in COPYING Makefile include net
do cp -a /usr/src/linux-2.6.18/$x linux/$x
done
Now you’re ready to build. Susbstitute your e-mail address in the build command:
dpkg-buildpackage -rfakeroot -us -uc -b –adnan.shahzad@your_org.edu.pk
You’ll end up with an iptables .deb file in your /usr/src directory. You can move into that directory and install the package:
cd /usr/src
dpkg -i iptables_1.3.6.0debian1-5_i386.deb
To confirm that everything is working correctly, try the following command:
iptables -t tproxy -L
If that doesn’t give an error, then all of the modules are installed correctly, and you’re ready to go.
Squid Compilation
For maximum performance, the Squid maintainers recommend that you compile your own version of Squid from scratch. Additionally, our “tproxy” setup is not included in Debian, so we must compile our own anyway.
Change into the source directory:
cd /usr/src
Fetch the source for squid, and the build dependencies:
apt-get source squid
apt-get build-dep squid
./configure –prefix=/usr –exec_prefix=/usr –bindir=/usr/sbin –sbindir=/usr/sbin –libexecdir=/usr/lib/squid –sysconfdir=/etc/squid –localstatedir=/var/spool/squid –datadir=/usr/share/squid –enable-linux-netfilter –enable-storeio=ufs,aufs,diskd,null –enable-arp-acl –enable-removal-policies=lru,heap –enable-snmp –enable-delay-pools –enable-htcp –enable-poll –enable-cache-digests –enable-underscores –enable-referer-log –enable-useragent-log –enable-auth=basic,digest,ntlm –enable-carp –enable-large-files –enable-linux-tproxy –enable-delay-pools –enable-cache-digests –enable-poll –disable-ident-lookups –enable-truncate –enable-removal-policies –enable-delay-pools –enable-cache-digests –enable-poll –enable-arp-acl –disable-ident-lookups –enable-truncate –enable-auth=basic –enable-auth-helpers=NCSA –with-maxfd=8192 –enable-removal-policies=lru,heap –enable-storeio=diskd,ufs,aufs –enable-snmp –enable-icmp –enable-htcp –enable-external-acl-helpers=”wbinfo_group” –enable-basic-auth-helpers=PAM –enable-ssl
We need to make the tproxy headers available to Squid for compilation. You can do this by running the following:
cp /usr/src/linux/include/linux/netfilter_ipv4/ip_tproxy.h
/usr/include/linux/netfilter_ipv4/
You must also install libcap-dev to get the capabilities file for compiling Squid (if you don’t do this, you’ll see “CAP_NET” errors):
apt-get install openssl ssl-cert
apt-get install libcap-dev
Also, be sure to add capability to your /etc/modules file (Debian doesn’t load capabilities by default).
You may wish to set certain compiler flags (e.g., CFLAGS=’-O2 -march=pentium4’) before the build to include any processor-specific options.
Note: That these packages may only work for the architecture they’re compiled for!
Now, build the package! Susbstitute your e-mail address in the build command:
dpkg-buildpackage -rfakeroot -us -uc -b -myou@example.com
Once you’ve built the binary installation packages, you’re ready to install them. They’ll appear in the parent directory to your source folder, and there should be 4 Debian package files:
squid_2.6.5-6etch1_i386.deb
squid-cgi_2.6.5-6etch1_i386.deb
squidclient_2.6.5-6etch1_i386.deb
squid-common_2.6.5-6etch1_all.deb
You’ll need to install any dependencies manually. At the moment, this includes lsb-base (for squid) and a web server (for squid-cgi).
To install lsb-base:
sudo apt-get install lsb-base
For a web server, you can go with the tried-and-true apache. However, we want as lightweight a server as possible, so we opt for thttpd:
sudo apt-get install thttpd
You can install the Debian packages using dpkg -i:
sudo dpkg -i /usr/src/squid\*.deb
Once this is done, you should have Squid installed, and ready to configure!
Configuration
At this point, you should have Squid installed on your system. You can confirm this by typing squid -v on the command line. You should get back Squid’s version, along with any compile-time options.
If you don’t have Squid yet, visit the previous section for information on compiling it from scratch, or install a packaged version from your OS vendor. For example, you could say this under Debian:
sudo apt-get install squid squidclient squid-cgi
Now that you’ve got Squid, it’s time to configure it. Squid has a great deal of run-time options, which affect how it caches documents. We’ve tuned our config to work with our particular needs; the descriptions below explain the choices we’ve made. You should make changes as you see fit.
Configure squid.conf to enable tproxy
There are two directive that enable tproxy in squid.conf
http_port 80 tproxy transparent tcp_outgoing_address 172.25.12.4
Note:
if tcp_outgoing_address (squidbox ip) is not set you will see error like this
in /var/log/squid/cache.log :
2007/06/16 18:03:48| tproxy ip=172.25.12.4,0x20010ac,port=0 ERROR ASSIGN
2007/06/16 18:03:48| tproxy ip=172.25.12.4,0x20010ac,port=0 ERROR ASSIGN
—————————————————————————–
Remember to enable debug with debug_options ALL,1 in squid.conf to see what’s wrong
Bridge Setup
We configure our system as a network bridge, which means that it sits between two physical devices on our network and relays the packets between them. However, there’s a twist: we intercept certain packets (those destined for port 80) and shunt them to Squid for processing.
You’ll need two ethernet cards in your machine to bridge between (one “in” and one “out”, as it were). You can use another card for a management IP address, or you can actually assign an address to the bridge itself and reach the machine just as you would a “real” interface.
In order to set up the bridge, we need to make a few tweaks to the system. First, we need to install some software that’s necessary for setting up a bridge:
apt-get install bridge-utils
Next, edit /etc/network/interfaces. You should already have a stanza for a statically configured interface (e.g., eth0). Keep the settings for the stanza, but replace the interface name with br0. Also, add the line bridge_ports eth1 eth2 to add them to the bridge. For example:
auto br0
iface br0 inet static
bridge_ports eth1 eth2
address 172.25.12.4
netmask 255.255.255.248
gateway 172.25.12.6
Additionally, if your setup is like ours you’ll need to add some routing to the box so it knows where to send packets. Our Squid box sits just between our firewall/router and LAN. Thus, it needs to be told how to route packets to the LAN and packets to the outside world. We do this by specifying the firewall as the “gateway” in the interfaces file, and adding a static route for our LAN. Thus, you would add the following lines to /etc/network/interfaces in the br0 stanza:
up route add -net 10.0.0.0/8 gw 172.25.12.6
We’ll need to tell the kernel that we’re going to forward packets, so make sure the following are set in /etc/sysctl.conf:
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1
Once you’re all set, the easiest thing to do is reboot for the bridge config to take effect. The other settings should now be working also. cat /proc/sys/net/ipv4/ip_forward to confirm that the machine is in forwarding mode.
TProxy Interception
To redirect traffic from the brige to squid we need ebtables, which is like iptables. we want manipulate the traffic that is crossing the brige.
Install ebtables program :
Apt-get install ebtables
and use this rule to intercept the traffic for destination port 80
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
Now let’s redirect to squid using iptables and tproxy
iptables -t tproxy -A PREROUTING -i br0 -p tcp --dport 80 -j TPROXY --on-port 80
Testing:
Workstation: 10.101.88.85
Squidbox : 172.25.12.4
Webserver : 10.101.88.25
You will see in apache logs of Webserver the ip addres of Workstation instead the Squidbox one. Also in access.log you will see all the traffic for http that it cames from Workstation.
FAQ:
1) How to I find my kernel is patched with Tproxy?
2) When Kernel rebuild it didn’t detect LAN Card.
3) How do I check TPROXY Rules?
4) How can I check IPTABLES patched working?
Source.list
deb http://http.us.debian.org/debian stable main contrib non-free
#deb http://dotdeb.pimpmylinux.org/ stable all
#deb-src http://dotdeb.pimpmylinux.org/ stable all
#deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free
#deb http://security.debian.org stable/updates main contrib non-free
#deb http://http.us.debian.org/debian/ etch main contrib non-free
#deb http://security.debian.org/ etch/updates main
#deb http://packages.dotdeb.org stable all
#deb http://rekudos.net/ testing main
deb http://packages.dotdeb.org stable all
deb-src http://ftp.de.debian.org/debian testing main contrib non-free
deb-src http://security.debian.org stable/updates main contrib non-free
# deb cdrom:[Debian GNU/Linux 4.0 r0 Etch - Official i386 NETINST Binary-1 20070407-11:29]/ etch contrib main
#deb cdrom:[Debian GNU/Linux 4.0 r0 Etch - Official i386 NETINST Binary-1 20070407-11:29]/ etch contrib main
#deb http://ftp.egr.msu.edu/debian main
#deb http://people.debian.org/~pvaneynd/cl-sarge-packages ./
#deb http://people.debian.org/~pvaneynd/cl-breezy-packages ./
#deb http://packages.dotdeb.org stable all
deb-src http://ftp.de.debian.org/debian testing main contrib non-free
#deb-src http://security.debian.org stable/updates main contrib non-free
#deb http://http.us.debian.org/debian etch main contrib non-free
#deb http://security.debian.org/ etch/updates main
#deb http://http.us.debian.org/debian etch main contrib non-free
#deb http://packages.dotdeb.org stable all
#deb-src http://ftp.de.debian.org/debian testing main contrib non-free
#deb http://security.debian.org/ etch/updates main contrib
#deb-src http://security.debian.org/ etch/updates main contrib
# Security updates for “stable”
#deb http://security.debian.org stable/updates main contrib non-free
#deb http://security.debian.org testing/updates main contrib non-free
# Stable
#deb http://ftp.de.debian.org/pub/debian stable main contrib non-free
#deb http://ftp.de.debian.org/pub/debian-non-US stable/non-US main contrib non-free
# Stable Sources
#deb-src http://ftp.de.debian.org/pub/debian stable main contrib non-free
#deb-src http://ftp.de.debian.org/pub/debian-non-US stable/non-US main contrib non-free
#deb-src http://security.debian.org/ etch/updates main contrib.
# apt-get install libkrb53 libcupsys2-gnutls10 libldap2 libldap2-dev libkrb5-dev krb5-doc krb5-user krb5-config
# apt-get install libkrb5-dev krb5-doc krb5-user krb5-config
NTLM Authentication
Krb5.conf:
[libdefaults]
defaultrealm = YOURORG.NET
# encrypt = true
# The following krb5.conf variables are only for MIT Kerberos.
# krb4config = /etc/krb.conf
# krb4realms = /etc/krb.realms
# kdctimesync = 1
# ccachetype = 4
# forwardable = true
# proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# defaulttgsenctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# defaulttktenctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# permittedenctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
# v4instanceresolve = false
# v4nameconvert = {
# host = {
# rcmd = host
# ftp = ftp
# }
# plain = {
# something = something-else
# }
# }
# fcc-mit-ticketflags = true
[realms]
YOURORG.NET = {
adminserver = YOURORG.NET
kdc = XX.XX.XXX.XXX
defaultrealm = YOURORG.NET
}
[domainrealm]
.yourorg.net = YOURORG.NET
yourorg.net = YOURORG.NET
Squid Changes:
authparam ntlm program /usr/bin/ntlmauth –helper-protocol=squid-2.5-ntlmssp
authparam ntlm children 30
authparam ntlm keepalive on
authparam basic program /usr/bin/ntlmauth –helper-protocol=squid-2.5-basic
authparam basic children 5
authparam basic realm Squid proxy-caching web server
authparam basic credentialsttl 2 hours
acl ntlm proxyauth REQUIRED src=10.0.0.0/8
httpaccess allow ntlm
Smb.conf
# Global parameters
[global]
workgroup = YOURORG
realm = YOURORG.NET
preferred master = no
server string = Samba file and print server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
# winbind separator = +
password server = XX.XX.XXX.XXX
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000
nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the glibc-doc-reference' and
info’ packages installed, try:
# `info libc “Name Service Switch”’ for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Key exchange btw linux and domain
# kinit adnan.shahzad@yourorg.net
For Domain joing
# net ads join -S XX.XX.XXX.XXX -U Shahzad