Stephen Reese

In an effort to replicate the amusing idea of a transparent proxy that manipulates traffic in a fun way found here and made even better with some great scripts that you can pull down from here. A Debian box was stood up with two network cards; one connects to the internal LAN and the other connected to an access-point which your guests connect to. I chose to post this how-to as the initial idea did not provide a complete reference on how to setup the needed components.

First, we are using an access-point we take care of the DHCP and DNS duties but the access-point or another host could perform these duties if they support said services. I choose to install the following DHCP service:

$ sudo apt-get install isc-dhcp-server

The following configuration provides the scope for the clients. We only define a scope for the client side which will use a network for the example purposes.

$ grep ^[^#] /etc/dhcp/dhcpd.conf
ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet netmask {
  option domain-name-servers;
  option domain-name "";
  option routers;
  option broadcast-address;
  default-lease-time 600;
  max-lease-time 7200;

Secondly, the guests are going to need some resolution, rather than have their queries pass through the network, lets setup a simple resolver for them using BIND:

$ sudo apt-get install bind9

Setup some forwarders and the interface we want to listen on, for example sake, the same subnet servicing the clients:

$ grep ^[^#] /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";
        version "tbd";
        forwarders {;; };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
        listen-on {;; };

Some of the fun scripts require a HTTP service to serve up flipped images and all sorts of other goodness so Apache and ImageMagick are needed:

$ sudo apt-get install apache2
$sudo apt-get -y install imagemagick

The last service is Squid caching proxy. Install version 3 was installed from the repositories:

$ sudo apt-get install squid3

Edit the Squid configuration, this is a default configuration but the acl for the clients has been enabled along with interception mode (read transparent) and finally call the script via url_rewrite_program:

$ grep ^[^#] /etc/squid3/squid.conf
acl manager proto cache_object
acl localhost src ::1
acl to_localhost dst ::1
acl localnet src # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
url_rewrite_program /home/us3r/squidScripts/
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Execute the following to create some protection from the subnet being advertised and furthermore forces all of the web request to use the Squid cache. The rule-set is by no means perfect or definitive, feel free to tailor to your needs and provide feedback.

$ grep ^[^#] fw-script
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth2 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth2 -p udp --dport 67 -j ACCEPT
iptables -A OUTPUT -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 8000 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 68 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 67 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -I OUTPUT -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -o eth2 -s -d -j SNAT --to
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128

You can down pull down a script from the Google code repository mentioned above which you have referenced in the Squid configuration. There are variables in the top of the scripts that you downloaded earlier. The variables need to be updated to reflect your system. A few Perl module prerequisites are also listed in the top of said scripts, access CPAN and install them:

$ sudo perl -MCPAN -e shell

After the required Perl modules are installed, you should be able to place a client on the guest network and they will retrieve sites, although it will not take long for to notice that in this case all of the images are inverted. Do not forget to checkout the other scripts.


Lots of fun! If I missed something or you have some feedback, use the comment form below.


comments powered by Disqus