Link to home
Start Free TrialLog in
Avatar of Barry Jones
Barry JonesFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Building a transparent proxy (if that is what I need)

Hi.

I am building an internet gateway.  The device is a WinXPPro box with two ethernet interfaces (LAN and WAN).  I need to be able to intercept all web requests (HTTP + HTTPS) regardless of the port, and process the request.

For example, if a user on the LAN interface opens up a browser and tries to go to google.com, then I want to redirect them to the local web server where they receive a login page instead.  Once the user successfully logs in, then I want to redirect them back to their requested page.

I assume that I need to create a proxy of some kind in order to be able to intercept the traffic?  It would have to be transparent to the user as this device is for a public access location (wifi hotspot, internet cafe), so I cannot set a proxy address in the browser.  

I guess I am looking for a C++ DLL component to allow me to do this from VB.  I am a VB/ASP/SQL developer but I realise that in order to handle 100s (max of about 2000) concurrent user requests, then something a little more thread-friendly like C++ must be used.  I have not the time to improve my scarce C knowledge to build this in C.

Please let me know if I am on the right track, or if there is a better way to do this.  The rest of the TCPIP access is controlled by a firewall, for which my application creates rules for the user, on the fly when they successfully log in, and then deletes the rule when they log off or their time expires.

Thanks, TheFoot
Avatar of justchat_1
justchat_1

You probably want to have a winsock control listening on port 80 of the lan network and then another winsock retransmit data on the wan network... But thats only for internet data-should this gateway also prevent access to services likes games, aol, msn, email access...etc.?

Also, If you actually want to filter requests a better idea might be to only filter dns querys and redirect them to your login server...

The only other suggestion I can think of is actual packet sniffing and manipulation (http://winpcap.org)
There are many free programs that do what you are asking...are you sure you want to code it yourself?
Avatar of Barry Jones

ASKER

Justchat_1,

Thanks for your comments.  If there are free programs, please let me know - great if I dont have to code anything.  even better if there are components that I can build a wrapper around.  I just dont know what exactly it is that I need..

Filtering only internet data is fine - a firewall blocks the rest and my app will create rules for other ports/apps when the user successfully logs in via my redirect page.

My main concern with using a winsock control from vb is that I do not know how to filter for HTTP traffic, rather than via a specific port.  For example, many users' webmail is on a non-standard port such as 8080 or 2020.  I need to be able to minotor all ports, but for specifically HTTP traffic.  Also, if the gatewayhas to process a 1000 concurrent users, then can VB handle this OK?  Im not so sure..re threading etc.

Please tell me how I filter DNS - that sounds interesting...

Thanks, TheFoot
It all depends, 1000 users checking email-probably
1000 users logging in at once-probably not
1000 users playing games or downloading files-no program code you need load balancing

Heres some programs you might consider:
http://www.snapfiles.com/Freeware/network/fwproxy.html
* 1000 users playing games or downloading files-no program code could...you need server load balancing
Thanks for your answer.  OK ideally I would like to cope with 1000s of users, but for now I have only small clients that will probably have 10s of users at a time.

I initially thought that 1000s of users would be possible on one box because it should just be a case of handling authentication, but on thinking about it, all communications will probably have to be monitored to at least check that they have previously authenticated.

I cannot find a proxy server that doesnt require the user to change the browser settings.  Isnt that what a "transparent proxy" does?  I cant seem to find one from your link or otherwise...

Lets say then that I code a winsock component in VB.  Do I have to create a socket for each port, to ensure that all HTTP traffic is intercepted?  How does the DNS filtering work that you mentioned?

Thanks, TheFoot
To monitor all ports your dealing with packet sniffing which is definitaly on the limits of what vb can do....you probably want to look at winpcap, specifically packet injection.

But DNS should save you from all that:
As far as the DNS that I was talking about-allow all ports (except 53) to flow through the router to the internet but foward all packets on port 53 to the authentication server.  Now your server can check if they are coming from an authenticated user or not.  If they are then you pass the DNS request to your ISP's DNS Server but if they are not you return a response directing the request to your Lan's login server.
OK - DNS...

So I use WinSock to capture port 53 and process these requests?  Do you have any reference on the structure of DNS packets, and how I go about retrieving information from them?

thanks, TheFoot
http://www.netfor2.com/dns.htm
-or-
http://www.rhyshaden.com/dns.htm
-or-
http://www.windowsnetworking.com/articles_tutorials/Understanding-DNS-Protocol-Part1.html

Also, free software that does this:
http://www.softpedia.com/get/Internet/Other-Internet-Related/DNS-Redirector.shtml

Exactly...it should be simple-you check if the ip is allowed to access to the internet-if it is you dont even worry what the dns packet says just pass it along

If its not you pass along a preconfigured response (to a lookup request)...instead of trying to figure out what to say run a DNS lookup of your login server while running a packet sniffer (ethereal or packetyzer) and hard code that response in your program
OK I have installed DNS Redirector - works great - thanks!  All clients now get redirected to my asp page.

I still have to work out how my web app then redirects to the appropriate URL.  I will examine the ASP request object and see what that holds, hopefully the originally requested URL.

Q.  What about other types of traffic?  Take MSN for example.  It will make a DNS request and then get forwarded to the web server.  I am assuming that the protocol used is not HTTP so what would my web server do with it?

Still some loose ends to tie up here, but thanks for your help getting me this far justchat_1...

I'm happy to give you the points, but for now I would like to keep the question open so that it will contain the final solution.

TheFoot
Yes it uses MSNP-a unique protocol that I have done alot of work with in the past:

But the protocol doesnt matter-it needs to connect to the MSN login server first-and in order to do that...it needs to send a dns request to find the servers IP

All other programs have the same issue-they rely on a DNS lookup because IP's can change
OK - so thats good - it means that my app doesnt have to integrate so much with the firewall, as complete TCP and UDP access can be enabled or disabled with the DNS yes?

I am not so sure how I handle the DNS side of things from my ASP app though - I will start looking into this later.  If you have any pointers at all or can point me to some good ASP/VB/IIS docs that help me to understand it...

Thanks, TheFoot
ASKER CERTIFIED SOLUTION
Avatar of justchat_1
justchat_1

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK - sorry I had the readme file, but didnt get as far as the demo pages.. :)  Thanks..
As stated above I got the points but was leaving the question open:
"I'm happy to give you the points, but for now I would like to keep the question open so that it will contain the final solution."
OK ok..  I will give the points to justchat_1.

Basically the DNSRedirector software is what I need to redirect all gateway traffic.  Although this project has been delayed and is not completed, I am pretty certain that I can do what I need to with this software.  I may add programmatic firewall control for extra security using Tinys Personal firewall.

Thanks justchat_1 for your help..

TheFoot
thanks for the points...and if you need more help with this issue feel free to post