Solved

Building a transparent proxy (if that is what I need)

Posted on 2006-07-17
18
387 Views
Last Modified: 2013-11-13
Hi.

I am building an internet gateway.  The device is a WinXPPro box with two ethernet interfaces (LAN and WAN).  I need to be able to intercept all web requests (HTTP + HTTPS) regardless of the port, and process the request.

For example, if a user on the LAN interface opens up a browser and tries to go to google.com, then I want to redirect them to the local web server where they receive a login page instead.  Once the user successfully logs in, then I want to redirect them back to their requested page.

I assume that I need to create a proxy of some kind in order to be able to intercept the traffic?  It would have to be transparent to the user as this device is for a public access location (wifi hotspot, internet cafe), so I cannot set a proxy address in the browser.  

I guess I am looking for a C++ DLL component to allow me to do this from VB.  I am a VB/ASP/SQL developer but I realise that in order to handle 100s (max of about 2000) concurrent user requests, then something a little more thread-friendly like C++ must be used.  I have not the time to improve my scarce C knowledge to build this in C.

Please let me know if I am on the right track, or if there is a better way to do this.  The rest of the TCPIP access is controlled by a firewall, for which my application creates rules for the user, on the fly when they successfully log in, and then deletes the rule when they log off or their time expires.

Thanks, TheFoot
0
Comment
Question by:Barry Jones
  • 10
  • 7
18 Comments
 
LVL 9

Expert Comment

by:justchat_1
ID: 17127233
You probably want to have a winsock control listening on port 80 of the lan network and then another winsock retransmit data on the wan network... But thats only for internet data-should this gateway also prevent access to services likes games, aol, msn, email access...etc.?

Also, If you actually want to filter requests a better idea might be to only filter dns querys and redirect them to your login server...

The only other suggestion I can think of is actual packet sniffing and manipulation (http://winpcap.org)
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 17127239
There are many free programs that do what you are asking...are you sure you want to code it yourself?
0
 
LVL 12

Author Comment

by:Barry Jones
ID: 17130912
Justchat_1,

Thanks for your comments.  If there are free programs, please let me know - great if I dont have to code anything.  even better if there are components that I can build a wrapper around.  I just dont know what exactly it is that I need..

Filtering only internet data is fine - a firewall blocks the rest and my app will create rules for other ports/apps when the user successfully logs in via my redirect page.

My main concern with using a winsock control from vb is that I do not know how to filter for HTTP traffic, rather than via a specific port.  For example, many users' webmail is on a non-standard port such as 8080 or 2020.  I need to be able to minotor all ports, but for specifically HTTP traffic.  Also, if the gatewayhas to process a 1000 concurrent users, then can VB handle this OK?  Im not so sure..re threading etc.

Please tell me how I filter DNS - that sounds interesting...

Thanks, TheFoot
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 9

Expert Comment

by:justchat_1
ID: 17132764
It all depends, 1000 users checking email-probably
1000 users logging in at once-probably not
1000 users playing games or downloading files-no program code you need load balancing

Heres some programs you might consider:
http://www.snapfiles.com/Freeware/network/fwproxy.html
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 17132773
* 1000 users playing games or downloading files-no program code could...you need server load balancing
0
 
LVL 12

Author Comment

by:Barry Jones
ID: 17133519
Thanks for your answer.  OK ideally I would like to cope with 1000s of users, but for now I have only small clients that will probably have 10s of users at a time.

I initially thought that 1000s of users would be possible on one box because it should just be a case of handling authentication, but on thinking about it, all communications will probably have to be monitored to at least check that they have previously authenticated.

I cannot find a proxy server that doesnt require the user to change the browser settings.  Isnt that what a "transparent proxy" does?  I cant seem to find one from your link or otherwise...

Lets say then that I code a winsock component in VB.  Do I have to create a socket for each port, to ensure that all HTTP traffic is intercepted?  How does the DNS filtering work that you mentioned?

Thanks, TheFoot
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 17134239
To monitor all ports your dealing with packet sniffing which is definitaly on the limits of what vb can do....you probably want to look at winpcap, specifically packet injection.

But DNS should save you from all that:
As far as the DNS that I was talking about-allow all ports (except 53) to flow through the router to the internet but foward all packets on port 53 to the authentication server.  Now your server can check if they are coming from an authenticated user or not.  If they are then you pass the DNS request to your ISP's DNS Server but if they are not you return a response directing the request to your Lan's login server.
0
 
LVL 12

Author Comment

by:Barry Jones
ID: 17134398
OK - DNS...

So I use WinSock to capture port 53 and process these requests?  Do you have any reference on the structure of DNS packets, and how I go about retrieving information from them?

thanks, TheFoot
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 17134472
http://www.netfor2.com/dns.htm
-or-
http://www.rhyshaden.com/dns.htm
-or-
http://www.windowsnetworking.com/articles_tutorials/Understanding-DNS-Protocol-Part1.html

Also, free software that does this:
http://www.softpedia.com/get/Internet/Other-Internet-Related/DNS-Redirector.shtml

Exactly...it should be simple-you check if the ip is allowed to access to the internet-if it is you dont even worry what the dns packet says just pass it along

If its not you pass along a preconfigured response (to a lookup request)...instead of trying to figure out what to say run a DNS lookup of your login server while running a packet sniffer (ethereal or packetyzer) and hard code that response in your program
0
 
LVL 12

Author Comment

by:Barry Jones
ID: 17142262
OK I have installed DNS Redirector - works great - thanks!  All clients now get redirected to my asp page.

I still have to work out how my web app then redirects to the appropriate URL.  I will examine the ASP request object and see what that holds, hopefully the originally requested URL.

Q.  What about other types of traffic?  Take MSN for example.  It will make a DNS request and then get forwarded to the web server.  I am assuming that the protocol used is not HTTP so what would my web server do with it?

Still some loose ends to tie up here, but thanks for your help getting me this far justchat_1...

I'm happy to give you the points, but for now I would like to keep the question open so that it will contain the final solution.

TheFoot
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 17143299
Yes it uses MSNP-a unique protocol that I have done alot of work with in the past:

But the protocol doesnt matter-it needs to connect to the MSN login server first-and in order to do that...it needs to send a dns request to find the servers IP

All other programs have the same issue-they rely on a DNS lookup because IP's can change
0
 
LVL 12

Author Comment

by:Barry Jones
ID: 17147344
OK - so thats good - it means that my app doesnt have to integrate so much with the firewall, as complete TCP and UDP access can be enabled or disabled with the DNS yes?

I am not so sure how I handle the DNS side of things from my ASP app though - I will start looking into this later.  If you have any pointers at all or can point me to some good ASP/VB/IIS docs that help me to understand it...

Thanks, TheFoot
0
 
LVL 9

Accepted Solution

by:
justchat_1 earned 500 total points
ID: 17147959
Im not really an asp person but I do know you can enable TCP and UDP to freely flow through your router as long as port 53 is fowarded to the gateway...

Take a look at this to answer your questions:
http://www.dnsredirector.com/readme/

It includeds a link to a demo welcome page that you should be able to figure out
0
 
LVL 12

Author Comment

by:Barry Jones
ID: 17149039
OK - sorry I had the readme file, but didnt get as far as the demo pages.. :)  Thanks..
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 17291705
As stated above I got the points but was leaving the question open:
"I'm happy to give you the points, but for now I would like to keep the question open so that it will contain the final solution."
0
 
LVL 12

Author Comment

by:Barry Jones
ID: 17318631
OK ok..  I will give the points to justchat_1.

Basically the DNSRedirector software is what I need to redirect all gateway traffic.  Although this project has been delayed and is not completed, I am pretty certain that I can do what I need to with this software.  I may add programmatic firewall control for extra security using Tinys Personal firewall.

Thanks justchat_1 for your help..

TheFoot
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 17354473
thanks for the points...and if you need more help with this issue feel free to post
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Background What I'm presenting in this article is the result of 2 conditions in my work area: We have a SQL Server production environment but no development or test environment; andWe have an MS Access front end using tables in SQL Server but we a…
This article describes some techniques which will make your VBA or Visual Basic Classic code easier to understand and maintain, whether by you, your replacement, or another Experts-Exchange expert.
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will learn how to pass data into a function in C++. This is one step further in using functions. Instead of only printing text onto the console, the function will be able to perform calculations with argumentents given by the user.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question