IPFW How to routing traffic under transparent proxy?

Maxiu

Maxiu

I build router and I want to redirect all traffic via transparent proxy at 127.0.0.1:9040.

traffic via Internet and LAN is redirect correctly, but I can't to force redirect connection under this proxy using IPFW NAT. (Proxy was checked using FireFox)

This is my config:

1. ifconfig, Wlan0 = internet interface, ue0 = LAN interface.

Code: 
root@komputer:/home/komputer # ifconfig -a
em0: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether e4:11:5b:27:2b:fd
        hwaddr e4:11:5b:27:2b:fd
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 24:77:03:22:26:0c
        hwaddr 24:77:03:22:26:0c
        inet 192.168.43.112 netmask 0xffffff00 broadcast 192.168.43.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet MCS mode 11ng
        status: associated
        ssid internet channel 6 (2437 MHz 11g ht/20) bssid 64:db:43:49:78:81
        regdomain FCC country US authmode WPA2/802.11i privacy ON
        deftxkey UNDEF AES-CCM 2:128-bit txpower 30 bmiss 10 scanvalid 60
        protmode CTS ampdulimit 64k -amsdutx amsdurx shortgi -stbc wme
        roaming MANUAL
        groups: wlan
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:e0:4c:53:44:58
        hwaddr 00:e0:4c:53:44:58
        inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

2. /etc/rc.conf

Code: 
#ROUTER
ifconfig_ue0="inet 10.1.1.1 netmask 255.255.255.0"
wlans_iwn0="wlan0"
ifconfig_wlan0="WPA DHCP"
dnsmasq_enable="YES"
gateway_enable="YES"
ipdivert_load="YES"

natd_enable="YES"
natd_flags="-f /etc/natd.conf"

dhcpd_enable="YES"
dhcpd_ifaces="ue0"
dhcpd_conf="/usr/local/etc/dhcpd.conf"

3. /etc/natd.conf
Code: 
interface wlan0

4. /etc/ipfw/ipfw.rules
Code: 
ipfw -q -f flush

ipfw -q add divert natd log all from any to any via lo0
ipfw -q add divert natd log all from any to any via ue0
ipfw -q add divert natd log all from any to any via wlan0

ipfw -q add allow all from any to any

I tried add into /etc/natd.conf -proxy_only and -proxy_rule 127.0.0.1:9040 follow via natd() https://www.freebsd.org/cgi/man.cgi?natd but then connection was brake. I suspect as it should be two instances in /etc/natd.conf once for Wlan0 (global network) second for ue0 (LAN) and at ue0 should be used -proxy_only and -proxy_rule 127.0.0.1:9040 command. Like this:
Code: 
 log
       deny_incoming
       verbose

       instance default
       interface sis0
       port    1000
       redirect_port tcp 10.0.0.2:122 122

       instance sis2
       interface sis2
       port    2000
       redirect_port tcp 10.0.0.2:122 122

       globalport 3000
But despite attempts I can't correctly configure it. At the end does not have to be IPFW and NATD, may be any firewall or whatever other software. Anyone?

IPFW logs: (connection to google.com)
https://pastebin.com/7H29qrx6

edit: Ifconfig from LAN.
Code: 
mint mint # ifconfig -a
enp8s0    Link encap:Ethernet  HWaddr 00:19:99:7c:f2:77 
          inet addr:10.1.1.145  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::7c57:2d39:28a3:ee24/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12090 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11211 errors:0 dropped:0 overruns:0 carrier:0
          collisions:13 txqueuelen:1000
          RX bytes:9241335 (9.2 MB)  TX bytes:1140643 (1.1 MB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:51142 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51142 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3572290 (3.5 MB)  TX bytes:3572290 (3.5 MB)
 
I'm sorry but you're making a real mess of things, I see squid, tor, privoxy and an external proxy?

What exactly are you trying to accomplish? I suggest removing everything proxy related and start fresh. Take it one step at a time, don't try to string together multiple, different, proxies at once.
 
What exactly are you trying to accomplish?
Click to expand...

I want to hide all LAN network under TOR (or modest few instances of TOR) but I'm stuck at redirect traffic under transparent proxy. Now I have few option

1. Translate SOCKS5 to HTTP and using SQUID but it do not want to start, and redirect it using some firewall.
2. Using TOR() and:
Code: 
 TransPort [address:]port|auto [isolation    flags]
       Open    this port to listen for    transparent proxy connections. Set
       this    to 0 if    you don't want to allow    transparent proxy connections.
       Set the port    to "auto" to have Tor pick a port for you. This
       directive can be specified multiple times to    bind to    multiple
       addresses/ports. See    SOCKSPort for an explanation of    isolation
       flags.

       TransPort requires OS support for transparent proxies, such as
       BSDs' pf or Linux's IPTables. If you're planning to use Tor as a
       transparent proxy for a network, you'll want    to examine and change
       VirtualAddrNetwork from the default setting.    (Default: 0)

But there is request pf() and I cannot into pf, especially NAT in pf.

==================================================
Sorry, but I'm accident delete this...

At this moment for testing I use proxy from http://www.gatherproxy.com/proxylist/anonymity/?t=Transparent . The external server does not matter, right?

But NATD() have a

Code: 
-proxy_only
         Force natd to perform transparent proxying only.  Normal
         address translation is    not performed.

     -proxy_rule [type encode_ip_hdr | encode_tcp_stream] port xxxx server
         a.b.c.d:yyyy
         Enable    transparent proxying.  Outgoing    TCP packets with the
         given port going through this host to any other host are
         redirected to the given server    and port.  Optionally, the
         original target address can be    encoded    into the packet.  Use
         encode_ip_hdr to put this information into the    IP option
         field or encode_tcp_stream to inject the data into the    begin-
         ning of the TCP stream.

And this is SQUID ... They it hangs at /usr/local/etc/rc.d/squid: DEBUG: run_rc_command: start_postcmd: squid_getpid regardless of configuration https://pastebin.com/5rw2R2Rd
Code: 
root@komputer:/home/komputer # service squid onestart
/usr/local/etc/rc.d/squid: DEBUG: pid file (/var/run/squid/squid.pid): not readable.
/usr/local/etc/rc.d/squid: DEBUG: checkyesno: squid_enable is set to YES.
/usr/local/etc/rc.d/squid: DEBUG: run_rc_command: start_precmd: squid_prestart
Starting squid.
/usr/local/etc/rc.d/squid: DEBUG: run_rc_command: doit: cd /var/squid &&  limits -C daemon su -m squid -c 'sh -c "/usr/local/sbin/squid  -f /usr/local/etc/squid/squid.conf "'
2018/05/29 14:23:45| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.
2018/05/29 14:23:45| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.
2018/05/29 14:23:45| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.
/usr/local/etc/rc.d/squid: DEBUG: run_rc_command: start_postcmd: squid_getpid

rest of config:
/etc/rc.conf
Code: 
tor_enable="YES"
tor_instances="2 3 4"

privoxy_enable="YES"
squid_enable="YES"

/usr/local/etc/privoxy/config
Code: 
listen-address 127.0.0.1:20001
forward-socks5t / 127.0.0.1:10001 .

/etc/hosts
Code: 
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain

[/file]/usr/local/etc/squid/squid.conf[/file]
Code: 
cache deny all
http_access allow all
http_port 3128
server_persistent_connections off
cache_peer localhost parent 20001 0 round-robin
#cache_peer localhost_2 parent 20002 0 round-robin no-query
#cache_peer localhost_3 parent 20003 0 round-robin
#cache_peer localhost_4 parent 20004 0 round-robin no-query
#cache_peer localhost_5 parent 20005 0 round-robin
#cache_peer localhost_6 parent 20006 0 round-robin
#cache_peer localhost_7 parent 20007 0 round-robin
#cache_peer localhost_8 parent 20008 0 round-robin
never_direct allow all

But is stuck.
====================
 
Maxiu said:
I want to hide all LAN network under TOR (or modest few instances of TOR) but I'm stuck at redirect traffic under transparent proxy.
Click to expand...
Ok, clear. Forget about transparency for now. Forget about all the other proxies too. Focus on TOR and www/privoxy. Get that functional first.
 
Ok. TOR is enable at 127.0.0.1:10001 and translate using privoxy at 127.0.0.1:20001

/usr/local/etc/tor/torrc
Code: 
SOCKSPort 127.0.0.1:10001

Code: 
root@komputer: # service tor status
tor instance: /usr/local/etc/rc.d/tor: DEBUG: checkyesno: tor_enable is set to YES.
tor is running as pid 7956.

/usr/local/etc/privoxy/config
Code: 
listen-address 127.0.0.1:20001
forward-socks5t / 127.0.0.1:10001 .

Code: 
root@komputer: # service privoxy status
/usr/local/etc/rc.d/privoxy: DEBUG: checkyesno: privoxy_enable is set to YES.
privoxy is running as pid 7615.

At the browser:
privoxy.png

privoxy.png



What next?
 
Not to easy.

I set it into:
/etc/natd.conf
Code: 
interface wlan0
proxy_only
proxy_rule 127.0.0.1:20001

But in LAN network is no connection.

I run TOR as transparent

May 29 17:19:59.318 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040


the same.
 
It's the wrong way around, clients connect to privoxy and privoxy connects to TOR. So you want to configure privoxy to intercept traffic (this is not transparency!). You do not need to change the configuration of TOR. It's only NAT and privoxy that needs to be configured. All TOR needs to do is to accept the requests from privoxy (which you've already set up).
 
SOLVED!!!!1111oneone! :D

In /usr/local/etc/tor/torrc

Code: 
SOCKSPort 127.0.0.1:10001
TransPort 9040
DNSPort 9053

Then:


# chgrp _tor /dev/pf
# chmod g+rw /dev/pf


In /etc/pf.conf

Code: 
ext_if="wlan0"                                 
int_if="ue0"                                   
                                                
rdr pass on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 9040
rdr pass on $int_if proto tcp from any to any port 443 -> 127.0.0.1 port 9040


#DNS
rdr pass on $int_if proto tcp from any to any port 53 -> 127.0.0.1 port 9053
rdr pass on $int_if proto udp from any to any port 53 -> 127.0.0.1 port 9053

In /etc/rc.conf

Code: 
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile=/var/log/pflog

tor_enable="YES"

then:

# service tor start
# service pf start



For SQUID port is ,,request too long" (https://forums.freebsd.org/threads/squid-redirect-and-your-connection-is-not-secure.62656/) but TOR is working corectly. On the IPFW probably is needed
add internal interface like this:

ipfw add 100 fwd SQUIDIP,3128 tcp from any to any 80 recv IFACE


http://www.visolve.com/uploads/resources/FreeBSD.pdf
https://www.benzedrine.ch/transquid.html
https://gist.github.com/timkofu/7137821
https://www.wykop.pl/wpis/32302805/pokaz-spoiler-mirki-kurla-pomocy-buduje-sobie-rout/

Greetings.
 
Last edited:
You must log in or register to reply here.
Back
Top